Академический Документы
Профессиональный Документы
Культура Документы
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco AnyConnect VPN Client Administrator Guide 2007-2010 Cisco Systems, Inc. All rights reserved.
CONTENTS
7 7
8 8 9 10
CHAPTER
Introduction
1 1
Getting and Installing the Files You Need 7 CSA Interoperability with the AnyConnect Client and Cisco Secure Desktop
2
CHAPTER
Common AnyConnect VPN Client Installation and Configuration Procedures Installing the AnyConnect Client
1
Before You Install the AnyConnect Client 2 Ensuring Automatic Installation of AnyConnect Clients 2 AnyConnect Client and New Windows Installations 3 Adding a Security Appliance to the List of Trusted Sites (Internet Explorer) 3 Adding a Security Certificate in Response to Browser Security Alert Windows 4 Replacing a Digital Certificate with a Trusted Certificate 7 Installing the AnyConnect Client on a Users PC 8 Where to Find the AnyConnect Client Files to Install 8 Installing the AnyConnect Client Using the Microsoft Windows Installer on a PC Running Windows 8 Installing the AnyConnect Client on a PC Running Linux 9 Installing the AnyConnect Client on a PC Running MAC OSX 9
Contents
CHAPTER
Installing the AnyConnect Client and Configuring the Security Appliance with ASDM Installing the AnyConnect Client on a Security Appliance Using CLI Enabling AnyConnect Client SSL VPN Connections Using CLI Disabling Permanent Client Installation
4 2 1
CHAPTER
CHAPTER
1 1
Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections Configuring DTLS 2 Prompting Remote Users Enabling IPv6 VPN Access
4 5 5
Configuring, Enabling, and Using Other AnyConnect Features 6 Configuring Certificate-only Authentication 6 Using Compression 9 Changing Compression Globally 10 Changing Compression for Groups and Users 10 Enabling AnyConnect Keepalives 11 Enabling AnyConnect Rekey 12 Enabling and Adjusting Dead Peer Detection 14 Configuring the Dynamic Access Policies Feature of the Security Appliance Cisco Secure Desktop Support 15
6
15
CHAPTER
1 1
Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections Enabling DTLS Globally for a Specific Port 2 Enabling DTLS for Specific Groups or Users 2 Prompting Remote Users Enabling IPv6 VPN Access
2 3 4
Configuring, Enabling, and Using Other AnyConnect Features 5 Configuring Certificate-only Authentication 5 Using Compression 5 Configuring the Dynamic Access Policies Feature of the Security Appliance Cisco Secure Desktop Support 6 Enabling AnyConnect Rekey 6 Enabling and Adjusting Dead Peer Detection 7 Enabling AnyConnect Keepalives 8
Cisco AnyConnect VPN Client Administrator Guide
OL-12950-012
Contents
CHAPTER
Configuring and Using AnyConnect Client Operating Modes and User Profiles AnyConnect Client Operating Modes 1 Using the AnyConnect CLI Commands to Connect (Standalone Mode) Connecting Using WebLaunch 3 User Log In and Log Out 4 Logging In 4 Logging Out 4 Configuring and Using User Profiles 4 Enabling AnyConnect Client Profile Downloads
5 1
Configuring Profile Attributes 10 Enabling Start Before Logon (SBL) for the AnyConnect Client XML Settings for Enabling SBL 11 CLI Settings for Enabling SBL 11 Configuring the ServerList Attribute 12 Configuring the Certificate Match Attribute 12 Certificate Key Usage Matching 12 Extended Certificate Key Usage Matching 13 Certificate Distinguished Name Mapping 13 Certificate Matching Example 15
8
11
CHAPTER
Customizing the End-user Experience 1 Language Translation (Localization) for User Messages 3 Understanding Language Translation 3 Configuring Language Localization Using ASDM 4 Creating or Modifying a Translation Table Using ASDM 6 Import/Export Language Localization 7 Creating or Modifying a Translation Table Using CLI 8
9
CHAPTER
Viewing AnyConnect Client and SSL VPN Sessions 1 Adjusting MTU Size Using ASDM 2 Adjusting MTU Size Using CLI 2 Logging Off AnyConnect Client Sessions 3 Updating AnyConnect Client and SSL VPN Client Images
A
APPENDIX
Contents
APPENDIX
Using Microsoft Active Directory to Add the Security Appliance to the List of Internet Explorer Trusted Sites for Domain Users 1
INDEX
OL-12950-012
This preface introduces the Cisco AnyConnect VPN Client Administrator Guide, and includes the following sections:
Document Objectives, page 7 Audience, page 7 Related Documentation, page 8 Document Organization, page 8 Document Conventions, page 9 Obtaining Documentation, Obtaining Support, and Security Guidelines, page 10 Licensing, page 10
Document Objectives
The purpose of this guide is to help you configure the Cisco AnyConnect VPN Client parameters on the security appliance. This guide does not cover every feature, but describes only the most common configuration scenarios. You can configure and monitor the security appliance by using either the command-line interface or ASDM, a web-based GUI application. ASDM includes configuration wizards to guide you through some common configuration scenarios, and online Help for less common scenarios. For more information, see: http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdm/index.htm This guide applies to the Cisco ASA 5500 series security appliances (ASA 5505 and higher). Throughout this guide, the term security appliance applies generically to all supported models, unless specified otherwise. The PIX family of security appliances is not supported.
Audience
This guide is for network managers who perform any of the following tasks:
Related Documentation
For more information, refer to the following documentation:
Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide Cisco ASA 5500 Series Release Notes Cisco ASDM Release Notes Cisco ASDM Online Help Release Notes for Cisco AnyConnect VPN Client, Release 2.0 Cisco Security Appliance Command Reference Cisco Security Appliance Logging Configuration and System Log Messages Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators For Open Source License information for this product, please see the following link: http://www.cisco.com/en/US/docs/security/asa/asa80/license/opensrce.html#wp50053.
Document Organization
This guide includes the chapters and appendixes described in Table 1.
Table 1 Document Organization
Chapter/Appendix Chapter 1, Introduction Chapter 2, Common AnyConnect VPN Client Installation and Configuration Procedures Chapter 3, Installing the AnyConnect Client and Configuring the Security Appliance with ASDM
Definition Provides a high-level overview of the Cisco Anyconnect VPN Client. Describes how to access the required files and install the Cisco AnyConnect VPN Client on the security appliance and on the remote user PCs.
Describes how to use ASDM to install the Cisco AnyConnect VPN Client on the security appliance.
Chapter 4, Installing the Describes how to use the command-line interface to install the Cisco AnyConnect VPN AnyConnect Client on a Security Client on the security appliance. Appliance Using CLI Chapter 5, Configuring AnyConnect Features Using ASDM Chapter 6, Configuring AnyConnect Features Using CLI Chapter 7, Configuring and Using AnyConnect Client Operating Modes and User Profiles Describes how to use ASDM to configure the various features of the Cisco AnyConnect VPN Client on the security appliance. Describes how to use ASDM to configure the various features of the Cisco AnyConnect VPN Client on the security appliance. Describes how to configure and use AnyConnect client operating modes and XML users profiles.
OL-12950-012
Table 1
Chapter/Appendix Chapter 8, Customizing and Localizing the AnyConnect Client Chapter 9, Monitoring and Maintaining the AnyConnect Client Appendix A, Sample AnyConnect Profile and XML Schema
Definition Describes how to customize and localize the end-user interface of the Cisco AnyConnect VPN Client. Describes how to monitor and maintain the Cisco AnyConnect VPN Client using the security appliance Provides a sample AnyConnect user XML profile and an XML schema that you can use to validate the user profiles you create.
Appendix B, Using Microsoft Describes in detail how an Active Directory Domain Administrator can push to remote Active Directory to Add the users a group policy that adds the security appliance to the list of trusted sites in Internet Security Appliance to the List of Explorer. Internet Explorer Trusted Sites for Domain Users
Document Conventions
Command descriptions use these conventions:
Braces ({ }) indicate a required choice. Square brackets ([ ]) indicate optional elements. Vertical bars ( | ) separate alternative, mutually exclusive elements. Right-pointing angle brackets (>) indicate a sequence in a path. Boldface indicates commands and keywords that are entered literally as shown. Italics indicate arguments for which you supply values. Examples depict screen displays and the command line in screen font. Information you need to enter in examples is shown in boldface screen font. Variables for which you must supply a value are shown in italic screen font.
Note
Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.
About This Guide Obtaining Documentation, Obtaining Support, and Security Guidelines
Licensing
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
10
OL-12950-012
CH A P T E R
Introduction
This book describes a process for getting the Cisco AnyConnect VPN Client up and running on your central-site security appliance and on your remote users PCs. In this context, PC refers generically to Windows, Mac, and Linux devices, but the focus in this document is primarily on Windows PC users.
Note
PIX does not support SSL VPN connections, either clientless or AnyConnect. The AnyConnect client supports Windows Vista, Windows XP and Windows 2000, Mac OS X (Version 10.4 or later) on either Intel or PowerPC, and Red Hat Linux (Version 9 or later). See the Release Notes for the full set of platform requirements and supported versions. As the network administrator, you configure the AnyConnect client features on the security appliance. Then, you can load the client on the security appliance and have it automatically download to remote users when they log in, or you can manually install the client as an application on PCs. The client allows user profiles that are displayed in the user interface and define the names and addresses of host computers. The network administrator can assign particular features to individual users or groups. The AnyConnect client includes the following features:
Datagram Transport Layer Security (DTLS) with SSL connectionsAvoids latency and bandwidth problems associated with some SSL-only connections and improves the performance of real-time applications that are sensitive to packet delays. DTLS is a standards-based SSL protocol that provides a low-latency data path using UDP. For detailed information about DTLS, see RFC 4347 (http://www.ietf.org/rfc/rfc4347.txt). Standalone ModeAllows a Cisco AnyConnect VPN client to be established as a PC application without the need to use a web browser to establish a connection. Command Line Interface (CLI)Provides direct access to client commands at the command prompt. Microsoft Installer (MSI)Gives Windows users a pre-install package option that provides installation, maintenance, and removal of AnyConnect client software on Windows systems.
1-1
Introduction
IPv6 VPN accessAllows access to IPv6 resources over a public IPv4 connection (Windows XP SP2, Windows Vista, Mac OSX, and Linux only). Start Before Login (SBL)Allows for login scripts, password caching, drive mapping, and more, for Windows. Certificate-only authenticationAllows users to connect with digital certificate and not provide a user ID and password. Simultaneous AnyConnect client and clientless, browser-based connectionsAllows a user to have both an AnyConnect (standalone) connection and a Clientless SSL VPN connection (through a browser) at the same time to the same IP address. Each connection has its own tunnel. CompressionIncreases the communications performance between the security appliance and the client by reducing the size of the packets being transferred. Compression works only for TLS. Fallback from DTLS to TLSProvides a way of falling back from DTLS to TLS if DTLS is no longer working. Language Translation (localization)Provides a way of implementing translation for user messages that appear on the client user interface. Dynamic Access Policies feature of the security applianceLets you configure authorization that addresses the variables of multiple group membership and endpoint security for VPN connections. Cisco Secure Desktop supportValidates the security of client computers requesting access to your SSL VPN, helps ensure they remain secure while they are connected, and attempts to remove traces of the session after they disconnect. The Cisco AnyConnect VPN Client supports the Secure Desktop functions of Cisco Secure Desktop for Windows 2000 and Windows XP. RekeySpecifies that SSL renegotiation takes place during rekey.
Note
The Cisco AnyConnect VPN Client can coexist with the IPSec Cisco VPN Client, but they cannot be used simultaneously.
1-2
OL-12950-012
Chapter 1
Figure 1-1
If you do not have certificates set up, you might see the dialog box shown in Figure 1-2. When you see this dialog box, click Yes to connect.
Figure 1-2 Security Alert Dialog Box
Note
Note: Most users (those with correct certificate deployments) do not see this dialog box. Table 1-1 shows the circumstances and results when the Security Alert dialog box appears.
1-3
Introduction
Table 1-1
Certificate Status Server certificate sent to the client from the security appliance is independently verifiable and the certificate has no serious errors. Server certificate sent to the client from the security appliance is not independently verifiable and the certificate contains serious errors.
No
Failure
Server certificate sent to the client from Yes the security appliance is not independently verifiable and the certificate does not contain serious errors.
Because the client cannot verify the certificate, it is still a security concern. The client asks the user whether to continue with the connection attempt.
The Security Alert dialog box appears only on the first connection attempt to a given security appliance. After the connection is successfully established, the thumbprint of the server certificate is saved in the preferences file, so the user is not prompted on subsequent connections to the same security appliance. If the user switches to a different security appliance and back, the Security Alert dialog box appears again. For detailed information and examples of instances in which the remote user does or does not see the Security Alert dialog box, see Adding a Security Certificate in Response to Browser Security Alert Windows, page 2-4.
1-4
OL-12950-012
Chapter 1
Figure 1-3 shows the Statistics tab, including current connection information.
Figure 1-3 Cisco AnyConnect VPN Client User Interface, Statistics Tab
Clicking the Details tab shows Statistics Details window (Figure 1-4). The Statistics tab in the Statistics Details window has detailed connection statistical information, including the tunnel state and mode, the duration of the connection, the number of bytes and frames sent and received, address information, transport information, and Cisco Secure Desktop posture assessment status. The Reset button on this tab resets the transmission statistics. The Export button lets you export the current statistics, interface, and routing table to a text file. The AnyConnect client prompts you for a name and location for the text file. The default name is AnyConnect-ExportedStats.txt, and the default location is on the desktop.
1-5
Introduction
Figure 1-4
Cisco AnyConnect VPN Client User Interface, Statistics Tab, Statistics Details Tab
Clicking the Route Details tab (Figure 1-5) shows the secured and non-secured routes for this connection.
Figure 1-5 Cisco AnyConnect VPN Client User Interface, Statistics Tab, Route Details Tab
Note
A Secured Routes entry with the destination 0.0.0.0 and the subnet mask 0.0.0.0 means that all traffic is tunneled. The About tab (Figure 1-6) shows version, copyright, and documentary information about the Cisco AnyConnect Client.
1-6
OL-12950-012
Chapter 1
Figure 1-6
Note
The Windows Vista version of AnyConnect (32- and 64-bit) supports everything that the Windows 2000 and Windows XP versions support, with the exception of Start Before Logon. Cisco Secure Desktop, which is a distinct product from AnyConnect, provides 32-bit Vista support for its posture assessment and cache cleaner components. Cisco Secure Desktop does not support secure desktop on Vista at this time. The client can be loaded on the security appliance and automatically deployed to remote users when they log in to the security appliance, or it can be installed as an application on PCs by a network administrator using standard software deployment mechanisms. You can use a text editor to create user profiles as XML files. These profiles drive the display in the user interface and define the names and addresses of host computers.
CSA Interoperability with the AnyConnect Client and Cisco Secure Desktop
If your remote users have Cisco Security Agent (CSA) installed, you must import new CSA policies to the remote users to enable the AnyConnect VPN Client and Cisco Secure Desktop to interoperate with the security appliance. To do this, follow these steps:
1-7
Introduction
Step 1
Retrieve the CSA policies for the AnyConnect client and Cisco Secure Desktop. You can get the files from:
The CD shipped with the security appliance. The software download page for the ASA 5500 Series Adaptive Security Appliance at http://www.cisco.com/cgi-bin/tablebuild.pl/asa.
Extract the .export files from the .zip package files. Choose the correct version of the .export file to import. The Version 5.2 export files work for CSA Versions 5.2 and higher. The 5.x export files are for CSA Versions 5.0 and 5.1. Import the file using the Maintenance > Export/Import tab on the CSA Management Center. Attach the new rule module to your VPN policy and generate rules. For more information, see the CSA document Using Management Center for Cisco Security Agents 5.2. Specific information about exporting policies is located in the section Exporting and Importing Configurations.
1-8
OL-12950-012
CH A P T E R
Without a previously-installed client, remote users enter into their browser the IP address or DNS name of an interface configured to accept clientless SSL VPN connections. Unless the security appliance is configured to redirect http:// requests to https://, users must enter the URL in the form https://<address>.
Note
A user with a clientless SSL VPN connection can switch to an AnyConnect client SSL VPN connection by clicking the AnyConnect drawer on the portal and following the instructions on that page. After the user enters the URL, the browser connects to that interface and displays the login screen. If the user satisfies the login and authentication, and the security appliance identifies the user as requiring the client, it loads the client that matches the operating system of the remote computer. After loading, the client installs and configures itself, establishes a secure SSL connection and either remains or uninstalls itself (depending on the security appliance configuration) when the connection terminates.
Standalone Mode
In the case of a previously-installed client, when the user authenticates, the security appliance examines the revision of the client, and upgrades the client as necessary. When the client negotiates an SSL VPN connection with the security appliance, it connects using Transport Layer Security (TLS). The client can also negotiate a simultaneous Datagram Transport Layer Security (DTLS) connection. DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.
2-1
The AnyConnect client can be downloaded from the security appliance, or it can be installed manually on the remote PC by the system administrator. This document contains information about how to configure the features of the AnyConnect client. For more detailed information about configuring the AnyConnect client and other SSL VPN connections on the security appliance, see Configuring SSL VPN Connections in Cisco Security Appliance Command Line Configuration Guide. For detailed descriptions of the commands referred to in this administrators guide, see the Cisco ASA 5500 Command Reference Guide for version 8.0 or later. The security appliance loads the client based on the group policy or username attributes of the user establishing the connection. You can configure the security appliance to automatically download the client, or you can configure it to prompt the remote user about whether to download the client. In the latter case, if the user does not respond, you can configure the security appliance to either download the client after a timeout period or present the portal page.
Note
When using Start Before Logon, the VPN Gina (VPN Graphical Identification and Authentication) a cannot be installed dynamically if the AnyConnect client is installed manually. The VPN Gina can be installed either before or after the AnyConnect client, but they must either be both installed manually or both installed dynamically (CSCsh38590). This section describes installation-specific issues and procedures for the AnyConnect client Release 2.0(1), and contains the following sections:
Before You Install the AnyConnect Client, page 2-2 Installing the AnyConnect Client on a Users PC, page 2-8 Installing the AnyConnect Client on a Users PC, page 2-8
Ensuring Automatic Installation of AnyConnect Clients, page 2-2 AnyConnect Client and New Windows Installations, page 2-3 Adding a Security Appliance to the List of Trusted Sites (Internet Explorer), page 2-3 Adding a Security Certificate in Response to Browser Security Alert Windows, page 2-4
To minimize user prompts during AnyConnect client setup, make sure certificate data on client PCs and on the security appliance match:
If you are using a Certificate Authority (CA) for certificates on the security appliance, choose
2-2
OL-12950-012
Chapter 2
Common AnyConnect VPN Client Installation and Configuration Procedures Before You Install the AnyConnect Client
The procedure varies by browser. See the procedures that follow this section.
Make sure the Common Name (CN) in security appliance certificates matches the name clients
use to connect to it. By default, the security appliance certificate CN field is its IP address. If clients use a DNS name, change the CN field on the security appliance certificate to that name.
The Cisco Security Agent (CSA) might display warnings during the AnyConnect client installation.
Current shipping versions of CSA do not have a built-in rule that is compatible with the AnyConnect client. You can create the following rule using CSA version 5.0 or later by following these steps:
Step 1
In the Rule Module: Cisco Secure Tunneling Client Module, add a FACL:
Priority Allow, no Log, Description: Cisco Secure Tunneling Browsers, read/write vpnweb.ocx Applications in the following class: Cisco Secure Tunneling Client - Controlled Web Browsers Attempt: Read file, Write File
Application Class: Cisco Secure Tunneling Client - Installation Applications add the following process names:
**\vpndownloader.exe @program_files\**\Cisco\Cisco AnyConnect VPN Client\vpndownloader.exe
We recommend that Microsoft Internet Explorer (MSIE) users add the security appliance to the list of trusted sites, or install Java. Doing so enables the ActiveX control to install with minimal interaction from the user. This is particularly important for users of Windows XP SP2 with enhanced security. Windows Vista users must add the security appliance to the list of trusted sites in order to use the dynamic deployment feature. Refer to the following sections for instructions.
This could occur if the computer does not have the file MSVCP60.dll or MSVCRT.dll located in the winnt\system32 directory. For more information about this problem, see the Microsoft Knowledge Base, article 259403, at http://support.microsoft.com/kb/259403.
2-3
Note
Adding a security appliance to the list of trusted sites for Internet Explorer is required for those running Windows Vista who want to use WebLaunch. Go to Tools > Internet Options > Trusted Sites. The Internet Options window opens. Click the Security tab. Click the Trusted Sites icon. Click Sites. The Trusted Sites window opens. Type the host name or IP address of the security appliance. Use a wildcard such as https://*.yourcompany.com to allow all ASA 5500s within the yourcompany.com domain to be used to support multiple sites. Click Add. Click OK. The Trusted Sites window closes. Click OK in the Internet Options window.
Step 1
Step 5
Step 6 Step 7
Step 8
Note
To use Microsoft Active Directory to add the security appliance to the list of Internet Explorer trusted sites for domain users, see Using Microsoft Active Directory to Add the Security Appliance to the List of Internet Explorer Trusted Sites for Domain Users, page B-1. When a user gets the server certificate for the security appliance from a globally trusted certificate authorityfor example, Verisign or Ciscothe user never sees a Security Alert pop-up when connecting to that security appliance.
A remote user using standalone mode might see a Security Alert dialog box in several possible login situations. The following examples and scenarios show some instances. After these descriptions, youll see how to add a security certificate to avoid these situations. The following examples illustrate sequences of events involving the pop-up Security Alert dialog box.
Example Set 1
1. 2.
A user connects to badly configured security appliance #1. As a result, the user sees the pop-up Security Alert dialog box. The user approves the certificate.
2-4
OL-12950-012
Chapter 2
Common AnyConnect VPN Client Installation and Configuration Procedures Before You Install the AnyConnect Client
3. 4. 5. 6. 7. 8. 9.
The user connects successfully to security appliance #1. The user disconnects from security appliance #1. The user reconnects to badly configured security appliance #1. The user does not see the pop-up dialog box, because the certificate is stored in the preferences file. The user connects successfully to security appliance #1. The user disconnects from security appliance #1. The user connects to correctly configured security appliance #2. The user sees no dialog box and connects successfully.
10. The user disconnects from security appliance #2. 11. The user connects to badly configured security appliance #1. 12. The user sees a pop-up Security Alert dialog box prompt.
Example Set 2
The following are examples of non-serious errors that result in a Security Alert dialog box prompting the user.
Invalid Common Name: The hostname in the certificate sent to us from the security appliance does not match the hostname that the user connected to. For example, the user connects to 10.94.147.93, and the certificate received from the security appliance contains cvc-asa06.cisco.com. 10.94.147.93 and cvc-asa06.cisco.com might or might not be the same machine. The Security Alert dialog box prompts the user to approve or disapprove the certificate.
Invalid Date: The certificate received from the security appliance has expired or is not yet valid. This could be because the date on the customer's machine is incorrect or because the certificate really is invalid. The Security Alert dialog box prompts the user to approve or disapprove the certificate. Invalid Certificate Authority: The certificate received from the security appliance has been signed by a Certificate Authority that is not recognized by the AnyConnect client. The AnyConnect client prompts the user for approval/disapproval. Recommendation: The root certificate (certificate of the Certificate Authority) should be imported into the client machine out of band (via E-mail, website, floppy disk, CD, and so on).
Example Set 3
The following are examples of serious errors that result in no Security Alert prompt and no connection.
Certificate cannot be read. Bad password. Certificate not sent to the client. Bad Usage: Certificate received from the security appliance was not meant to be used as a server certificate.
Scenario A: The user gets the server certificate for their security appliance from a non-trusted certificate authority; for example, their own certificate authority or cacert.org. The user sees the Security Alert pop-up on the first connection attempt but never thereafter until he or she switches to a different security appliance and back.
2-5
Recommendation: Administrators should import the root certificate that was used to sign that server certificate (for example, their own certificate authority or cacert.org) into every client machine out of band via E-mail, website, floppy disk, and so on.
Scenario B: The user gets the server certificate for the security appliance from the certificate authority that sits on the security appliance. The user sees the Security Alert pop-up on the first connection attempt but never thereafter until he or she switches to a different security appliance and back. Recommendation: Administrators should import the root certificate of the certificate authority that sits on the security appliance into every client machine out of band via E-mail, website, floppy disk, and so on.
Scenario C: the security appliance is at default configuration and certificates haven't been configured. When at default, the security appliance generates a self-signed server certificate that the AnyConnect client does not trust. The user sees the Security Alert pop-up on the first connection attempt but never thereafter until he or she switches to a different security appliance and back. Recommendation: Administrators should correctly configure certificates on their security appliance before attempting client connections to them.
The following procedure explains how to install a self-signed certificate as a trusted root certificate on a client in response to a Microsoft Internet Explorer Security Alert window. This window opens when you establish a Microsoft Internet Explorer connection to a security appliance that is not recognized as a trusted site. The upper half of the Security Alert window shows the following text:
Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate. The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority.
Click View Certificate in the Security Alert window. The Certificate window opens. Click Install Certificate. The Certificate Import Wizard Welcome opens. Click Next. The Certificate Import Wizard Certificate Store window opens. Select Automatically select the certificate store based on the type of certificate. Click Next. The Certificate Import Wizard Completing window opens. Click Finish. Another Security Warning window prompts Do you want to install this certificate? Click Yes. The Certificate Import Wizard window indicates the import is successful. Click OK to close this window.
Step 2
Step 3
Step 4 Step 5
Step 6 Step 7
Step 8
2-6
OL-12950-012
Chapter 2
Common AnyConnect VPN Client Installation and Configuration Procedures Before You Install the AnyConnect Client
Step 9 Step 10
Click OK to close the Certificate window. Click Yes to close the Security Alert window. The security appliance window opens, signifying the certificate is trusted.
The following procedure explains how to install a self-signed certificate as a trusted root certificate on a client in response to a Web Site Certified by an Unknown Authority window. This window opens when you establish a Netscape, Mozilla, or Firefox connection to a security appliance that is not recognized as a trusted site. This window shows the following text:
Unable to verify the identity of <Hostname_or_IP_address> as a trusted site.
Click the Examine Certificate button in the Web Site Certified by an Unknown Authority window. The Certificate Viewer window opens. Click the Accept this certificate permanently option. Click OK. The security appliance window opens, signifying the certificate is trusted.
Step 2 Step 3
When users first connect using AnyConnect, they should click View Certificate, install this new certificate, then click Yes to proceed. The next time they re-connect, they do not see the security alert popup, even if the security appliance is rebooted.
2-7
Where to Find the AnyConnect Client Files to Install, page 2-8 Installing the AnyConnect Client Using the Microsoft Windows Installer on a PC Running Windows, page 2-8 Installing the AnyConnect Client on a PC Running Linux, page 2-9 Installing the AnyConnect Client on a PC Running MAC OSX, page 2-9
Installing the AnyConnect Client Using the Microsoft Windows Installer on a PC Running Windows
To install the AnyConnect client on a PC running Windows, follow these steps. We suggest you accept the defaults unless your system administrator has instructed otherwise.
Note
Vista users must add the security appliance to the trusted zone for automatic installation by the security appliance to work (CSCsh23752). Exit all Windows programs, and disable any antivirus software (recommended). Download the AnyConnect client MSI file from the Cisco site; for example, anyconnect-win-2.0.xxx.msi, where xxx represents the current build number. See the Release Notes for the current release for the full set of operating-system-specific download sites. Double-click the MSI file. The welcome screen for the Cisco AnyConnect VPN Client Setup Wizard displays. Click Next. The End-User License Agreement displays. Accept the license agreement and click OK. The Select Installation Folder screen displays. Accept the default folder or enter a new folder and click Next. The Ready to Install screen displays. Click Install. The client installs and displays the status bar during installation. After installing, the Completing the Cisco AnyConnect VPN Client Setup Wizard screen displays. Click Next. The wizard disappears and the installation is complete.
Step 1 Step 2
2-8
OL-12950-012
Chapter 2
Common AnyConnect VPN Client Installation and Configuration Procedures Installing the AnyConnect Client on a Users PC
You can also use the Microsoft Installer to load the AnyConnect client software on the users Windows-based PC. MSI gives Windows users a pre-install package option that provides installation, maintenance, and removal of AnyConnect client software on Windows systems.
For Linux, the client files are contained in a tar/gz file. Unpack the archive with a tar command. For example:
tar xvzf AnyConnect-Linux-Release-2.0.0xxx.tar.gz
The files necessary for installation are placed in the folder ciscovpn.
Step 2
Change to the ciscovpn folder. As a root user, run the script named vpn_install.sh. For example:
[root@linuxhost]# cd ciscovpn [root@linuxhost]# ./vpn_install.sh
The client installs in the directory /opt/cisco/vpn. This script also installs the daemon vpnagentd and sets it up as a service that is automatically started when the system boots.
After installing the client, you can start the client manually from the user interface with the Linux command /opt/cisco/vpn/bin/vpnui or with the client CLI command /opt/cisco/vpn/bin/vpn.
Transfer the installation package file to the desktop and double-click the file. Select one of the following files:
anyconnect-macosx-i386-2.0.xxx.dmg anyconnect-macosx-powerpc-2.0.xxx.dmg
Double-click the vpn icon to initiate the installation. Follow the sequence of the vpnclient installer, accepting the licensing agreement, selecting the destination volume, and then selecting the Upgrade option to perform a basic installation.
Note
2-9
2-10
OL-12950-012
CH A P T E R
Installing the AnyConnect Client and Configuring the Security Appliance with ASDM
Installing the client on the security appliance consists of copying a client image to the security appliance and identifying the file to the security appliance as a client image. With multiple clients, you must also assign the order in which the security appliance loads the clients to the remote PC.
Note
The AnyConnect client configuration uses the same parameters as the SSL VPN Client. Many of the file names, panel names, and ASDM navigation elements, as well as most of the CLI commands include the prefix svc, indicating this similarity. Perform the following steps to install the client:
Load the AnyConnect client images to the security appliance. On the ASDM toolbar, click Configuration. The navigation pane displays features to configure. In the navigation pane, click Remote Access VPN. The navigation pane displays VPN features. Choose Network (Client) Access > Advanced > SSL VPN > Client Settings. The SSL VPN Client Settings panel displays. (Figure 3-1). This panel lists any AnyConnect client files that have been identified as AnyConnect client images. The order in which they appear in the table reflects the order in which they download to the remote computer.
3-1
Chapter 3
Installing the AnyConnect Client and Configuring the Security Appliance with ASDM
Figure 3-1
To add an AnyConnect client image, Click Add in the SSL VPN Client Images area. The Add SSL VPN Client Image dialog appears (Figure 3-2).
Figure 3-2 Add SSL VPN Client Image Dialog
If you already have an image located in the flash memory of the security appliance, you can enter the name of the image in the Flash SVC Image field, and click OK. The SSL VPN Client Settings panel now shows the AnyConnect client images you identified (Figure 3-3).
3-2
OL-12950-012
Chapter 3
Installing the AnyConnect Client and Configuring the Security Appliance with ASDM
Figure 3-3
Note
The security appliance downloads portions of each client in the order you specify until it matches the operating system of the remote PC. Therefore, assign the topmost position to the image used by the most commonly-encountered operating system. Click on an image name, and use the Move Up or Move Down button to change the position of the image within the list. This establishes the order in which the security appliance loads them to the remote computer. The security appliance loads the AnyConnect client image at the top of the list of images first. Therefore, you should move the image used by the most commonly-encountered operating system to the top of the list.
Step 4
Step 5
Enable the security appliance to download the AnyConnect client to remote users. Go to Network (Client) Access > SSL VPN Connection Profiles. The SSL VPN Connection Profiles panel appears (Figure 3-4). Check Enable Cisco AnyConnect VPN Client or legacy SSL VPN client access on the interfaces selected in the table below.
3-3
Chapter 3
Installing the AnyConnect Client and Configuring the Security Appliance with ASDM
Figure 3-4
Step 6
Configure a method of address assignment. You can use DHCP, and/or user-assigned addressing. You can also create a local IP address pool and assign the pool to a tunnel group. To create an IP address pool, choose Network (Client) Access > Address Management > Address Pools. Click Add. The Add IP Pool dialog appears (Figure 3-5).
3-4
OL-12950-012
Chapter 3
Installing the AnyConnect Client and Configuring the Security Appliance with ASDM
Figure 3-5
Enter the name of the new IP address pool. Enter the starting and ending IP addresses, and enter the subnet mask and click OK.
3-5
Chapter 3
Installing the AnyConnect Client and Configuring the Security Appliance with ASDM
Step 7
Assign the IP address pool to a Connection (tunnel group). To do this, choose Network (Client) Access > SSL VPN Connection Profiles. The SSL VPN Connection Profiles panel appears (Figure 3-6):
Figure 3-6
To edit an existing connection profile, highlight a connection in the table, and click Edit. The Edit SSL VPN Connection > Basic dialog box appears. To add a new connection profile, click Add. The Add SSL VPN Connection > Basic dialog box appears, which is identical to the Edit dialog box, except that you must supply a name for the connection profile. Then proceed as follows.
3-6
OL-12950-012
Chapter 3
Installing the AnyConnect Client and Configuring the Security Appliance with ASDM
Click Select in the Client Address Assignment area. The Select Address Pool dialog box appears (Figure 3-7), containing available address pools. Select a pool The pool you select appears in the Assign field in the Assigned Address pools area. Click OK.
Figure 3-7 Select Address Pool Dialog
Step 8
Identify SSL VPN as a permitted VPN tunneling protocol for the group or user. Choose Network (Client) Access > Group Policies from the navigation pane. Highlight the group policy in the Group Policy table, and click Edit.
3-7
Chapter 3
Installing the AnyConnect Client and Configuring the Security Appliance with ASDM
Check the SSL VPN Client check box to include SSL VPN as a tunneling protocol.
3-8
OL-12950-012
Chapter 3
Installing the AnyConnect Client and Configuring the Security Appliance with ASDM
Step 9
Configure SSL VPN attributes for a user or group. To display SSL VPN features for groups, In the navigation pane of the Internal Group Policy dialog, choose Advanced > SSL VPN Client. The SSL VPN Client features display Figure 3-9.
Figure 3-9
Keep Installer on Client SystemEnable to allow permanent client installation on the remote computer. Enabling disables the automatic uninstalling feature of the client. The client remains installed on the remote computer for subsequent connections, reducing the connection time for the remote user. CompressionCompression increases the communications performance on low-bandwidth links between the security appliance and the client by reducing the size of the packets being transferred. On broadband connections, compression might degrade performance. Datagram TLSDatagram Transport Layer Security (DTLS) allows the AnyConnect Client establishing an SSL VPN connection to use two simultaneous tunnelsan SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with SSL connections and improves the performance of real-time applications that are sensitive to packet delays.
Note
Compression and DTLS are mutually exclusive. If you enable both, DTLS is inactive for the client connection.
3-9
Chapter 3
Installing the AnyConnect Client and Configuring the Security Appliance with ASDM
Keepalive MessagesEnter an number, from 15 to 600 seconds, in the Interval field to enable and adjust the interval of keepalive messages to ensure that an connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle. Adjusting the interval also ensures that the client does not disconnect and reconnect when the remote user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft Internet Explorer. MTUAdjust the Maximum Transmission Unit (MTU) in bytes, from 256 to 1406 bytes. This setting affects only the AnyConnect client connections established in SSL, with or without DTLS. By default, the MTU size adjusts automatically based on the MTU of the interface that the connection uses, minus the IP/UDP/DTLS overhead. Client Profile to DownloadSpecify a file on flash as a client profile. A profile is a group of configuration parameters that the AnyConnect Client uses to configure the connection entries that appear in the client user interface, including the names and addresses of host computers. Optional Client Module to DownloadSpecify any modules that the AnyConnect client needs to download to enable more features, such as Start Before Logon (SBL). To minimize download time, the AnyConnect Client requests downloads (from the security appliance) only of core modules that it needs for each feature that it supports.
The attributes you configure on the Group Policies > Advanced > SSL VPN Client dialog box set the profile for the AnyConnect Client.
3-10
OL-12950-012
CH A P T E R
Note
The AnyConnect client configuration uses the same parameters as the SSL VPN Client. Most of the CLI commands and many of the file names include the prefix svc, indicating this similarity. Perform the following steps to install the client:
Step 1
Copy the client image package to the security appliance using the copy command from privileged EXEC mode, or using another method. This example copies the images from a tftp server using the copy tftp command:
hostname# copy tftp flash Address or name of remote host []? 209.165.200.226 Source filename []? anyconnect-win-2.0.0.0343.pkg Destination filename []? anyconnect-win-2.0.0.0343.pkg Accessing tftp://209.165.200.226/anyconnect-win-2.0.0.0343.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!! Writing file disk0:/cdisk71...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 319662 bytes copied in 3.695 secs (86511 bytes/sec)
Step 2
Identify a file on flash as an SSL VPN client package file using the svc image command from webvpn configuration mode: svc image filename order The security appliance expands the file in cache memory for downloading to remote PCs. If you have multiple clients, assign an order to the client images with the order argument. The security appliance downloads portions of each client in the order you specify until it matches the operating system of the remote PC. Therefore, assign the lowest number to the image used by the most commonly-encountered operating system. For example:
hostname(config-webvpn)# svc image anyconnect-win-2.0.0343-k9.pkg 1 hostname(config-webvpn)# svc image anyconnect-macosx-i386-2.0.0343-k9.pkg 2 hostname(config-webvpn)# svc image anyconnect-linux-2.0.0343-k9.pkg 3
4-1
Note
The security appliance expands SSL VPN client and the Cisco Secure Desktop images in cache memory. If you receive the error message ERROR: Unable to load SVC image - increase disk space via the 'cache-fs' command, use the cache-fs limit command to adjust the size of cache memory: Check the status of the clients using the show webvpn svc command:
hostname(config-webvpn)# show webvpn svc 1. disk0:/anyconnect-win-2.0.0343-k9.pkg 1 CISCO STC win2k+ 2,0,0343 Tue 03/27/2007 4:16:21.09 2. disk0:/anyconnect-macosx-i386-2.0.0343-k9.pkg 2 CISCO STC Darwin_i386 2,0,0 Tue Mar 27 05:09:16 MDT 2007 3. disk0:/anyconnect-linux-2.0.0343-k9.pkg 3 CISCO STC Linux 2,0,0 Tue Mar 27 04:06:53 MST 2007 3 SSL VPN Client(s) installed
Step 3
Enable WebVPN on an interface using the enable command from webvpn mode: enable interface For example:
hostname(config)# webvpn hostname(config-webvpn)# enable outside
Enable SSL VPN connections globally, using the svc enable command from webvpn configuration mode. For example:
hostname(config-webvpn)# svc enable
Step 3
Enable DTLS on an interface, using the dtls enable command in webvpn mode. For example:
hostname(config-webvpn)# dtls enable outside
To enable DTLS globally for a specific port, use the dtls port command in webvpn mode. The following example enters webvpn configuration mode and specifies port 444 for DTLS:
hostname(config)# webvp4 hostname(config-webvpn)# dtls port 445
Step 4
Configure a method of address assignment. You can use DHCP, and/or user-assigned addressing. You can also create a local IP address pool using the ip local pool command from global configuration mode:
4-2
OL-12950-012
Chapter 4
Installing the AnyConnect Client on a Security Appliance Using CLI Enabling AnyConnect Client SSL VPN Connections Using CLI
ip local pool poolname startaddr-endaddr mask mask The following example creates the local IP address pool vpn_users:
hostname(config)# ip local pool vpn_users 209.165.200.225-209.165.200.254 mask 255.255.255.224
Step 5
Assign IP addresses to a tunnel group. One method you can use to do this is to assign a local IP address pool with the address-pool command from general-attributes mode: address-pool poolname To do this, first enter the tunnel-group name general-attributes command to enter general-attributes mode. Then specify the local IP address pool using the address-pool command. In the following example, the user configures the existing tunnel group telecommuters to use the address pool vpn_users created in step 3:
hostname(config)# tunnel-group telecommuters general-attributes hostname(config-tunnel-general)# address-pool vpn_users
Step 6
Assign a default group policy to the tunnel group with the default-group-policy command from tunnel group general attributes mode: default-group-policy name In the following example, the user assigns the group policy sales to the tunnel group telecommuters:
hostname(config-tunnel-general)# default-group-policy sales
Step 7
Create and enable a group alias that displays in the group list on the WebVPN Login page using the group-alias command from tunnel group webvpn attributes mode: group-alias name enable First exit to global configuration mode, and then enter the tunnel-group name webvpn-attributes command to enter tunnel group webvpn attributes mode. In the following example, the user enters webvpn attributes configuration mode for the tunnel group telecommuters, and creates the group alias sales_department:
hostname(config)# tunnel-group telecommuters webvpn-attributes hostname(config-tunnel-webvpn)# group-alias sales_department enable
Step 8
Enable the display of the tunnel-group list on the WebVPN Login page from webvpn mode: tunnel-group-list enable First exit to global configuration mode, and then enter webvpn mode. In the following example, the user enters webvpn mode, and then enables the tunnel group list:
hostname(config)# webvpn hostname(config-webvpn)# tunnel-group-list enable
Step 9
Specify SSL as a permitted VPN tunneling protocol for the group or user with the vpn-tunnel-protocol svc command in group-policy mode or username mode: vpn-tunnel-protocol svc You can also specify other protocols to permit by adding the names of those protocols to this command. For more information about the vpn-tunnel-protocol command, see the command description in Cisco Security Appliance Command Reference.
4-3
To specify SSL as a permitted tunneling protocol, first exit to global configuration mode, enter the group-policy name attributes command to enter group-policy mode, or the username name attributes command to enter username mode, and then enter the webvpn command to enter webvpn mode and change the WebVPN settings for the group or user. The following example identifies SSL as the only permitted tunneling protocol for the group-policy sales:
hostname(config)# group-policy sales attributes hostname(config-group-policy)# webvpn hostname(config-group-webvpn)# vpn-tunnel-protocol svc
For more information about assigning users to group policies, see Configuring Tunnel Groups, Group Policies, and Users in Cisco Security Appliance Command Line Configuration Guide.
4-4
OL-12950-012
CH A P T E R
Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections, page 5-1 Prompting Remote Users, page 5-4 Enabling IPv6 VPN Access, page 5-5 Enabling Modules for Additional AnyConnect Features, page 5-5 Configuring Certificate-only Authentication, page 5-6 Using Compression, page 5-9 Configuring DTLS, page 5-2 Enabling AnyConnect Keepalives, page 5-11 Configuring the Dynamic Access Policies Feature of the Security Appliance, page 5-15 Cisco Secure Desktop Support, page 5-15 Enabling AnyConnect Rekey, page 5-12 Enabling and Adjusting Dead Peer Detection, page 5-14
Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections
Datagram Transport Layer Security avoids latency and bandwidth problems associated with some SSL-only connections, including AnyConnect connections, and improves the performance of real-time applications that are sensitive to packet delays. DTLS is a standards-based SSL protocol that provides a low-latency data path using UDP. For detailed information about DTLS, see RFC 4347 (http://www.ietf.org/rfc/rfc4347.txt). Datagram Transport Layer Security (DTLS) allows the AnyConnect client establishing an SSL VPN connection to use two simultaneous tunnelsan SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays. If you do not enable DTLS, AnyConnect/SSL VPN connections connect with an SSL VPN tunnel only. You cannot enable DTLS globally with ASDM. The following section describes how to enable DTLS for any specific interface.
5-1
Chapter 5 Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections
To enable DTLS for a specific interface, select Configuration > Remote Access VPN > Network (Client) Access > Advanced > SSL VPN Connection profiles. The SSL VPN Connection Profiles dialog box opens (Figure 5-1).
Figure 5-1 Enable DTLS Check Box
To enable DTLS on an interface, select the check box in its row. To specify a separate UDP port to use for AnyConnect, enter the port number in the UDP Port field. The default value is port 443.
Configuring DTLS
If DTLS is configured and UDP is interrupted, the remote users connection automatically falls back from DTLS to TLS. The default is enabled; however, DTLS is not enabled by default on any individual interface. Enabling DTLS allows the AnyConnect client establishing an AnyConnect VPN connection to use two simultaneous tunnelsan SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.
5-2
OL-12950-012
Chapter 5
Configuring AnyConnect Features Using ASDM Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections
If you do not enable DTLS, AnyConnect client users establishing SSL VPN connections connect only with an SSL VPN tunnel. To enable DTLS, use the Datagram TLS setting in either Group Policy or Username. The paths to this setting are:
Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client
Figure 5-2 shows an example of configuring the DTLS setting for an internal group policy.
Figure 5-2 Enabling or Disabling DTLS
Note
When using the AnyConnect client with DTLS on security appliance, Dead Peer Detection must be enabled in the group policy on the security appliance to allow the AnyConnect client to fall back to TLS, if necessary. Fallback to TLS occurs if the AnyConnect client cannot send data over the UPD/DTLS session, and the DPD mechanism is necessary for fallback to occur.
5-3
Deselect the Inherit check box, if necessary, and in the Post Login Setting area, select the option Prompt user to choose. To disable this option, select Do not prompt user to choose. When you enable the prompting option, another field becomes available, asking you to specify the number of seconds the user has to choose before the Default Post Login selection takes effect. Select the Default Post Login selection to specify the action that the AnyConnect client takes if the user does not make a selection before the timer specified in the prompting option expires. The options are:
Go to Clientless SSL VPN PortalImmediately displays the portal page for Clientless SSL VPN. The user can still invoke the AnyConnect client from the portal by clicking Start AnyConnect Client. Download SSL VPN ClientImmediately starts downloading the AnyConnect client to the remote users PC.
5-4
OL-12950-012
Chapter 5
Figure 5-4 shows the prompt displayed to remote users when either the default svc timeout value or the default webvpn timeout value is configured (in this case, the timeout was set to 35 seconds):
Figure 5-4 Prompt Displayed to Remote Users for SSL VPN Client Download
Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client Device management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client.
Specify the module name, for example, sbl for the Start Before Logon feature, in the Optional Client Module to Download field. Separate multiple strings with commas. Figure 5-5 shows an example.
5-5
Figure 5-5
In the case of Start Before Logon, you must also enable the feature in the XML profile. For a list of values to enter for each AnyConnect client feature, see the Release Notes for the Cisco AnyConnect VPN Client.
5-6
OL-12950-012
Chapter 5
Configuring AnyConnect Features Using ASDM Configuring, Enabling, and Using Other AnyConnect Features
To configure certificate-only authentication using ASDM, select Configuration > Remote Access > Network (Client) Access > SSL VPN Connection Profiles, and in the Connection Profiles area, select Add or Edit. This displays the Add or Edit SSL VPN Connect Profile dialog box with the Basic option selected. In the Authentication area, select only Certificate as the Method.
Figure 5-6 Configuring Certificate-Only Authentication, Edit SSL VPN Dialog Box
To make this feature take effect, you must also enable AnyConnect client access on particular interfaces and ports, as needed. To do this, select Configuration > Remote Access VPN > Network (Client) Access > SSL VPN Connection Profiles. The SSL VPN Connection Profiles dialog box (Figure 5-7) appears.
5-7
Figure 5-7
In the Access Interfaces area, select the check box Enable Cisco AnyConnect VPN Client or legacy SSL VPN Client access on the interfaces selected in the table below. Then select the check boxes for the interfaces on which you want to enable access. Specify the Access Port. The default access port is 443. If you want to assign a specific certificate to an interface, click Assign Certificate to Interface. This opens the SSL Settings dialog box (Figure 5-8).
5-8
OL-12950-012
Chapter 5
Configuring AnyConnect Features Using ASDM Configuring, Enabling, and Using Other AnyConnect Features
Figure 5-8
In the Certificates area, specify which certificates, if any, you want to use for SSL authentication on each interface. If you do not specify a certificate for a particular interface, the fallback certificate will be used. In the Fallback Certificate field, select a certificate from the drop-down list. The default is --None--.
Using Compression
On low-bandwidth connections, compression increases the communications performance between the security appliance and the client by reducing the size of the packets being transferred. By default, compression for all SSL VPN connections is enabled on the security appliance, both at the global level and for specific groups or users. For broadband connections, compression might result in poorer performance. By default, if you have not changed the compression setting globally, compression is enabled. You can configure compression globally using the CLI command compression svc command from global configuration mode.
5-9
Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client
Figure 5-9 shows an example of configuring the compression setting for an internal group policy.
5-10
OL-12950-012
Chapter 5
Configuring AnyConnect Features Using ASDM Configuring, Enabling, and Using Other AnyConnect Features
Figure 5-9
Compression Setting
By default, for groups and users, SSL compression is set to Inherit. If you deselect Inherit, the default is enabled (equivalent to deflate in the CLI).
Note
For compression to work, it must be enabled both globally (by the compression svc command configured from global configuration mode) and for the specific group policy or username. If either is set to disable (or to the none or the no form of the command), compression is disabled.
Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client
5-11
Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client
Figure 5-10 shows an example of configuring the keepalive messages setting for an internal group policy.
Figure 5-10 Configuring Keepalive Messages
Configure the Keepalive Messages field for this attributeby deselecting Inherit and entering a number, from 15 to 600 seconds, in the Interval field to enable and adjust the interval of keepalive messages to ensure that an connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle. Adjusting the interval also ensures that the client does not disconnect and reconnect when the remote user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft Internet Explorer.
Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client > Key Regeneration
5-12
OL-12950-012
Chapter 5
Configuring AnyConnect Features Using ASDM Configuring, Enabling, and Using Other AnyConnect Features
Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client > Key Regeneration Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client > Key Regeneration
Figure 5-11 shows an example of configuring the Rekey setting for an internal group policy.
Figure 5-11 Configuring Rekey Attributes
Key renegotiation occurs when the security appliance and the client perform a rekey and they renegotiate the crypto keys and initialization vectors, increasing the security of the connection. The fields on this dialog box are as follows:
Renegotiation IntervalClear the Unlimited check box to specify the number of minutes from the start of the session until the rekey takes place, from 1 to 10080 (1 week). Renegotiation MethodCheck the None check box to disable rekey, check the SSL check box to specify SSL renegotiation during a rekey, or check the New Tunnel check box to establish a new tunnel during rekey.
Note
The security appliance does not currently support inline DTLS rekey. The AnyConnect client, therefore, treats all DTLS rekey events as though they were of the new tunnel method instead of the inline ssl type (CSCsh93610).
5-13
Note
When using the AnyConnect client with DTLS on security appliance, Dead Peer Detection must be enabled in the group policy on the security appliance to allow the AnyConnect client to fall back to TLS, if necessary. Fallback to TLS occurs if the AnyConnect client cannot send data over the UPD/DTLS session, and the DPD mechanism is necessary for fallback to occur. To enable DPD on the security appliance or client for a specific group or user, and to set the frequency with which either the security appliance or client performs dead-peer detection, use the Dead Peer Detection dialog box for either group-policy or username. The paths to this setting are:
Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client > Dead Peer Detection Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client > Dead Peer Detection Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client > Dead Peer Detection
Figure 5-12 shows an example of configuring the Dead Peer Detection setting for an internal group policy.
5-14
OL-12950-012
Chapter 5
Configuring AnyConnect Features Using ASDM Configuring, Enabling, and Using Other AnyConnect Features
Figure 5-12
Gateway Side DetectionDeselect the Disable check box to specify that dead-peer detection is performed by the security appliance (gateway). Enter the interval, from 30 to 3600 seconds, with which the security appliance performs dead-peer detection. Client Side DetectionDeselect the Disable check box to specify that dead-peer detection is performed by the client. Enter the interval, from 30 to 3600 seconds, with which the client performs dead-peer detection.
5-15
Cisco Secure Desktop for Windows 2000 and Windows XP. There is no specific configuration of AnyConnect required to use Secure Desktop. For detailed information about configuring Cisco Secure Desktop, see the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators (Software Release 3.2).
5-16
OL-12950-012
CH A P T E R
Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections, page 6-1 Prompting Remote Users, page 6-2 Enabling IPv6 VPN Access, page 6-3 Enabling Modules for Additional AnyConnect Features, page 6-4 Configuring Certificate-only Authentication, page 6-5 Using Compression, page 6-5 Configuring the Dynamic Access Policies Feature of the Security Appliance, page 6-6 Configuring the Dynamic Access Policies Feature of the Security Appliance, page 6-6 Cisco Secure Desktop Support, page 6-6 Enabling AnyConnect Rekey, page 6-6 Enabling and Adjusting Dead Peer Detection, page 6-7 Enabling AnyConnect Keepalives, page 6-8
Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections
Datagram Transport Layer Security avoids latency and bandwidth problems associated with some SSL-only connections, including AnyConnect connections, and improves the performance of real-time applications that are sensitive to packet delays. DTLS is a standards-based SSL protocol that provides a low-latency data path using UDP. For detailed information about DTLS, see RFC 4347 (http://www.ietf.org/rfc/rfc4347.txt). Datagram Transport Layer Security (DTLS) allows the AnyConnect client establishing an SSL VPN connection to use two simultaneous tunnelsan SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays. If you do not enable DTLS, SSL VPN connections connect with an SSL VPN tunnel only.
6-1
6-2
OL-12950-012
Chapter 6
svc ask enable default webvpn timeout value prompts the remote user to download the client or go to the WebVPN portal page, and waits the duration of value before taking the default actiondisplaying the WebVPN portal page. Figure 6-1 shows the prompt displayed to remote users when either default svc timeout value or default webvpn timeout value is configured:
Figure 6-1 Prompt Displayed to Remote Users for SSL VPN Client Download
The following example configures the security appliance to prompt the remote user to download the client or go to the WebVPN portal page and to wait 10 seconds for user response before downloading the client:
hostname(config-group-webvpn)# svc ask enable default svc timeout 10
Enable IPv6 on the outside interface. Enable IPv6 and an IPv6 address on the inside interface. Configure an IPv6 address local pool for client assigned IP Addresses. Configure an IPv6 Tunnel default gateway.
Configure Interfaces:
interface GigabitEthernet0/0 nameif outside security-level 0 ip address 192.168.0.1 255.255.255.0 ipv6 enable ; Needed for IPv6.
6-3
! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.10.0.1 255.255.0.0 ipv6 address 2001:DB8::1/32 ; Needed for IPv6. ipv6 enable ; Needed for IPv6.
Step 2
Configure an 'ipv6 local pool' (used for AnyConnect Client IPv6 address assignment):
ipv6 local pool ipv6pool 2001:DB8:1:1::5/32 100 ; Use your IPv6 prefix here
Note
You still need to configure an IPv4 address pool when using IPv6 (using the ip local pool command)
Step 3
Add the ipv6 address pool to your Tunnel group policy (or group-policy):
tunnel-group YourTunGrp1 general-attributes ipv6-address-pool ipv6pool
Note
Again, you must also configure an IPv4 address pool here as well (using the 'address-pool' command).
Step 4
6-4
OL-12950-012
Chapter 6
Configuring AnyConnect Features Using CLI Configuring, Enabling, and Using Other AnyConnect Features
Note
You must configure ssl certificate-authentication interface <interface> port <port> for this option to take effect. To configure certificate-only authentication using ASDM, select Configuration > Remote Access > Network (Client) Access > SSL VPN Connection Profiles, and in the Connection Profiles area, select Add or Edit. This displays the Add or Edit SSL VPN Connect Profile dialog box with the Basic option selected. In the Authentication area, specify only Certificate as the Method.
Using Compression
On low-bandwidth connections, compression increases the communications performance between the security appliance and the client by reducing the size of the packets being transferred. By default, compression for all SSL VPN connections is enabled on the security appliance, both at the global level and for specific groups or users. For broadband connections, compression might result in poorer performance. You can configure compression globally using the compression svc command from global configuration mode. You can also configure compression for specific groups or users with the svc compression command in group-policy and username webvpn modes. The global setting overrides the group-policy and username settings.
Changing Compression Globally
To change the global compression settings, use the compression svc command from global configuration mode: compression svc no compression svc To remove the command from the configuration, use the no form of the command. In the following example, compression is disabled for all SSL VPN connections globally:
hostname(config)# no compression svc
6-5
To change compression for a specific group or user, use the svc compression command in the group-policy and username webvpn modes: svc compression {deflate | none} no svc compression {deflate | none} By default, for groups and users, SSL compression is set to deflate (enabled). To remove the svc compression command from the configuration and cause the value to be inherited from the global setting, use the no form of the command: The following example disables compression for the group-policy sales:
hostname(config)# group-policy sales attributes hostname(config-group-policy)# webvpn hostname(config-group-webvpn)# svc compression none
Note
For compression to work, both the compression svc command (configured from global configuration mode) and the svc compression command (configured in group-policy and username webvpn modes) must be enabled. If either command is set to none or to the no form, compression is disabled.
6-6
OL-12950-012
Chapter 6
Configuring AnyConnect Features Using CLI Configuring, Enabling, and Using Other AnyConnect Features
[no] svc rekey {method {new-tunnel | none | ssl} | time minutes} method new-tunnel specifies that the client establishes a new tunnel during rekey. method none disables rekey. method ssl specifies that SSL renegotiation takes place during rekey. time minutes specifies the number of minutes from the start of the session or from the last rekey until the next rekey takes place, from 1 to 10080 (1 week). In the following example, the client is configured to renegotiate with SSL during rekey, which takes place 30 minutes after the session begins, for the existing group-policy sales:
hostname(config)# group-policy hostname(config-group-policy)# hostname(config-group-policy)# hostname(config-group-policy)# sales attributes webvpn svc rekey method ssl svc rekey time 30
Note
The security appliance does not currently support inline DTLS rekey. The AnyConnect client, therefore, treats all DTLS rekey events as though they were of the new tunnel method instead of the inline ssl type (CSC93610).
Note
When using the AnyConnect client with DTLS on security appliance, Dead Peer Detection must be enabled in the group policy on the ASA to allow the AnyConnect client to fall back to TLS, if necessary. Fallback to TLS occurs if the AnyConnect client cannot send data over the UPD/DTLS session, and the DPD mechanism is necessary for fallback to occur. To enable DPD on the security appliance or client for a specific group or user, and to set the frequency with which either the security appliance or client performs DPD, use the svc dpd-interval command from group-policy or username webvpn mode: svc dpd-interval {[gateway {seconds | none}] | [client {seconds | none}]} no svc dpd-interval {[gateway {seconds | none}] | [client {seconds | none}]} Where: gateway seconds enables DPD performed by the security appliance (gateway) and specifies the frequency, from 30 to 3600 seconds, with which the security appliance (gateway) performs DPD. gateway none disables DPD performed by the security appliance. client seconds enable DPD performed by the client, and specifies the frequency, from 30 to 3600 seconds, with which the client performs DPD. client none disables DPD performed by the client. To remove the svc dpd-interval command from the configuration, use the no form of the command: The following example sets the frequency of DPD performed by the security appliance to 30 seconds, and the frequency of DPD performed by the client set to 10 seconds for the existing group-policy sales:
hostname(config)# group-policy sales attributes
6-7
hostname(config-group-policy)# webvpn hostname(config-group-policy)# svc dpd-interval gateway 30 hostname(config-group-policy)# svc dpd-interval client 10
6-8
OL-12950-012
CH A P T E R
Configuring and Using AnyConnect Client Operating Modes and User Profiles
AnyConnect Client Operating Modes
The user can use the AnyConnect Client in the following modes:
Standalone modeLets the user establish a Cisco AnyConnect VPN client connection without the need to use a web browser. If you have permanently installed the AnyConnect client on the users PC, the user can run in standalone mode. In standalone mode, a user opens the AnyConnect client just like any other application and enters the username and password credentials into the fields of the AnyConnect GUI. Depending on ho w you configure the system, the user might also be required to select a group. When the connection is established, the security appliance checks the version of the client on the users PC and, if necessary, downloads the latest version. WebLaunch modeLets the user enter the URL of the security appliance in the Address or Location field of a browser using the https protocol. The user then enters the username and password information on a Logon screen and selects the group and clicks submit. If you have specified a banner, that information appears, and the user acknowledges the banner by clicking Continue. The portal window appears. To start the AnyConnect client, the user clicks Start AnyConnect on the main pane. A series of documentary windows appears. When the Connection Established dialog box appears, the connection is working, and the user can proceed with online activities.
To launch the CLI command prompt and issue commands on a Windows system, locate the file vpncli.exe in the Windows folder C:\Program Files\Cisco\Cisco AnyConnect VPN Client. Double-click the file vpncli.exe.
For Linux and Mac OS X
To launch the CLI command prompt and issue commands on a Linux or Mac OS X system, locate the file vpn in the folder /opt/cisco/vpn/bin/. Execute the file vpn.
7-1
Configuring and Using AnyConnect Client Operating Modes and User Profiles
You can run the CLI in interactive mode, in which it provides its own prompt, or you can run it with the commands on the command line. Table 7-1 shows the CLI commands.
Table 7-1 AnyConnect Client CLI Commands
Action Client establishes a connection to a specific security appliance. Client closes a previously established connection. Displays statistics about an established connection. Exits the CLI interactive mode. Exits the CLI interactive mode.
The following examples show the user establishing and terminating a connection from the command line:
Windows
connect 209.165.200.224
Establishes a connection to a security appliance with the address 209.165. 200.224. After contacting the requested host, the AnyConnect client displays the group to which the user belongs and asks for the users username and password. If you have specified that an optional banner be displayed, the user must respond to the banner. The default response is n, which terminates the connection attempt. For example:
VPN> connect 209.165.200.224 >>contacting host (209.165.200.224) for login information... >>Please enter your username and password. Group: testgroup Username: testuser Password: ******** >>notice: Please respond to banner. VPN> STOP! Please read. Scheduled system maintenance will occur tonight from 1:00-2:00 AM for one hour. The system will not be available during that time. accept? [y/n] y >> notice: Authentication succeeded. Checking for updates... >> state: Connecting >> notice: Establishing connection to 209.165.200.224. >> State: Connected >> notice: VPN session established. VPN> stats
7-2
OL-12950-012
Chapter 7
Configuring and Using AnyConnect Client Operating Modes and User Profiles AnyConnect Client Operating Modes
[ Data Transfer ] Bytes(sent/received): 1950410/23861719 Packets (sent/received): 18346/28851 Bypassed (outbound/inbound): 0/0 Discarded (outbound/inbound): 0/0 [ Secure Routes ] Network 0.0.0.0 VPN> disconnect Subnet 0.0.0.0
or exit
Linux or Mac OS X
/opt/cisco/vpn/bin/vpn connect 1.2.3.4
Establishes a connection to a security appliance by reading the profile and looking up the alias some_asa_alias in order to find its address.
/opt/cisco/vpn/bin/vpn stats
The user then enters the username and password information on a Logon screen and selects the group and clicks submit. If you have specified a banner, that information appears, and the user acknowledges the banner by clicking Continue. The portal window appears. To start the AnyConnect client, the user clicks Start AnyConnect on the main pane. A series of documentary windows appears. When the Connection Established dialog box appears, the connection is working, and the user can proceed with online activities.
7-3
Configuring and Using AnyConnect Client Operating Modes and User Profiles
Note
For Windows Vista users who use the Internet Explorer browser, you must add the security appliance to the list of trusted sites, as described in Adding a Security Appliance to the List of Trusted Sites (Internet Explorer), page 2-3.
Logging In
Your system administrator has assigned you a remote access username and password. Before you log in, you must get this information from your system administrator.
Step 1 Step 2 Step 3 Step 4
Enter your remote access username in the Username field. Enter your remote access password in the Password field. Click Login. If you receive a certificate warning, install the certificate. Your remote access home page appears.
Logging Out
To end your remote access session, click the Close Window (X) icon in the toolbar or click the Logout link. The Logout page appears, confirming that your session has been terminated and offering you the opportunity to log in again. Quitting the browser also logs out the session.
Caution
Security note: Always log out when you finish your session. Logging out is especially important when you are using a public computer such as in a library or Internet cafe. If you do not log out, someone who uses the computer next could access your files. Don't risk the security of your organization! Always log out.
7-4
OL-12950-012
Chapter 7
Configuring and Using AnyConnect Client Operating Modes and User Profiles Configuring and Using User Profiles
the user selects the appropriate profile from a drop-down list. Be aware, however, that some of the profile settings, such as Start Before Login, control the connection experience at a global level. Other settings, such as those unique to a particular host, depend on the host selected.
Caution
Do not cut and paste the examples from this document. Doing so introduces line breaks that can break your XML. Instead, open the profile template file in a text editor such as notepad or wordpad. Use the template that appears after installing AnyConnect on a workstation: \Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile\AnyConnectProfile.tmpl Follow these steps to edit profiles and use ASDM to enable the security appliance to download them to remote clients:
7-5
Configuring and Using AnyConnect Client Operating Modes and User Profiles
Step 1
Retrieve a copy of the profiles file (AnyConnectProfile.xml) from a client installation. Table 7-2 shows the installation path for each operating system.
Table 7-2 Operating System and Profile File Installation Path
1. %PROGRAMFILES% refers to the environmental variable by the same name. In most Windows installation, this is C:\Program Files.
Step 2
Edit the profiles file. The example below shows the contents of the profiles file (AnyConnectProfile.xml) for Windows:
<?xml version="1.0" encoding="UTF-8"?> <!-This is a template file that can be configured to support the identification of secure hosts in your network. The file needs to be renamed to CiscoAnyConnectProfile.xml. The svc profiles command imports updated profiles for downloading to client machines. --> <Configuration> <ClientInitialization> <UseStartBeforeLogon>false</UseStartBeforeLogon> </ClientInitialization> <HostProfile> <HostName></HostName> <HostAddress></HostAddress> </HostProfile> <HostProfile> <HostName></HostName> <HostAddress></HostAddress> </HostProfile> </Configuration>
The <HostProfile> tags are frequently edited so that the AnyConnect client displays the names and addresses of host computers for remote users. The following example shows the <HostName> and <HostAddress> tags, with the name and address of a host computer inserted:
<HostProfile> <HostName>Sales_gateway</HostName> <HostAddress>209.165.200.225</HostAddress> </HostProfile>
Step 3
To identify to the security appliance the client profiles file to load into cache memory, select Configuration > Remote Access VPN > Network (Client) Access > Advanced > Client Settings (Figure 7-1).
7-6
OL-12950-012
Chapter 7
Configuring and Using AnyConnect Client Operating Modes and User Profiles Configuring and Using User Profiles
Figure 7-1
In the SSL VPN Client Profiles area, click Add or Edit. the Add or Edit SSL VPN Client Profiles dialog box appears (Figure 7-2).
Figure 7-2 Add (or Edit) SSL VPN Client Profiles Dialog Box
Enter the profile name and profile package names in their respective fields. To browse for a profile package name, click Browse Flash. The Browse Flash dialog box appears (Figure 7-3).
7-7
Configuring and Using AnyConnect Client Operating Modes and User Profiles
Figure 7-3
Select a file from the table. The file name appears in the File Name field below the table. Click OK. The file name you selected appears in the Profile Package field of the Add or Edit SSL VPN Client Profiles dialog box.
Step 4 Step 5
Click OK in the Add or Edit SSL VPN Client dialog box. This makes profiles available to group policies and username attributes of client users. To configure a profile for a group policy, select Configuration > Remote Access VPN > Network (Client) Access > Group Policies. Select an existing group policy and click Edit or click Add to configure a new group policy. In the navigation pane, select Advanced > SSL VPN Client. The Add or Edit Internal Group Policy dialog box appears (Figure 7-4).
7-8
OL-12950-012
Chapter 7
Configuring and Using AnyConnect Client Operating Modes and User Profiles Configuring and Using User Profiles
Figure 7-4
To configure a profile for a user, select Configuration > Device Management > Users/AAA > User Accounts. Select an existing username and click Edit or click Add to configure a new username. In the navigation pane, select VPN Policy > SSL VPN Client. To modify an existing users profile, select that user from the table and click Edit. To Add a new user, click Add. The Add or Edit User Account dialog box appears (Figure 7-5).
7-9
Configuring and Using AnyConnect Client Operating Modes and User Profiles
Figure 7-5
Step 7
Deselect Inherit and select a Client Profile to Download from the drop-down list or click New to specify a new client profile. If you click New, the Add SSL VPN Client Profile dialog box (Figure 7-2 on page 7-7) appears; follow the procedures that pertain to that figure. When you have finished with the configuration, click OK.
Step 8
Note
It is important to validate the XML profile you create. Use an online validation tool or the profile import feature in ASDM. For validation, you can use the AnyConnectProfile.xsd found in the same directory as the profile template. See Appendix A, Sample AnyConnect Profile and XML Schema for a hard copy of these files.
7-10
OL-12950-012
Chapter 7
Configuring and Using AnyConnect Client Operating Modes and User Profiles Configuring Profile Attributes
The following sections describe how to modify the profiles template to configure the profile attributes.
To disable SBL, set the same value to false. To enable the UserControllable feature, use the following statement when enabling SBL:
<UseStartBeforeLogon userControllable=false>true</UseStartBeforeLogon>
In addition, the administrator must ensure that the AnyConnect profile.xml file has the <UseStartBeforeLogon> statement set to true. For example:
<UseStartBeforeLogon UserControllable=false>true</UseStartBeforeLogon>
The system must be rebooted before Start Before Logon takes effect.
7-11
Configuring and Using AnyConnect Client Operating Modes and User Profiles
You must also specify on the security appliance that you want to allow SBL (or any other modules for additional features). See the description in the section Enabling Modules for Additional AnyConnect Features, page 5-5 (ASDM) or Enabling Modules for Additional AnyConnect Features, page 6-4 (CLI) for a description of how to do this.
7-12
OL-12950-012
Chapter 7
Configuring and Using AnyConnect Client Operating Modes and User Profiles Configuring Profile Attributes
The profile can contain none or more matching criteria. If one or more criteria are specified, a certificate must match at least one to be considered a matching certificate. The example in Certificate Matching Example, page 7-15 shows how you might configure these attributes.
Constraint serverAuth clientAuth codeSign emailProtect ipsecEndSystem ipsecTunnel ipsecUser timeStamp OCSPSign dvcs
OID 1.3.6.1.5.5.7.3.1 1.3.6.1.5.5.7.3.2 1.3.6.1.5.5.7.3.3 1.3.6.1.5.5.7.3.4 1.3.6.1.5.5.7.3.5 1.3.6.1.5.5.7.3.6 1.3.6.1.5.5.7.3.7 1.3.6.1.5.5.7.3.8 1.3.6.1.5.5.7.3.9 1.3.6.1.5.5.7.3.10
As an administrator, you can add your own OIDs if the OID you want is not in the well known set. The profile can contain none or more matching criteria. A certificate must match all specified criteria to be considered a matching certificate. See profile example in Appendix A, Sample AnyConnect Profile and XML Schema for an example.
7-13
Configuring and Using AnyConnect Client Operating Modes and User Profiles
Table 7-4
Identifier CN SN GN N I GENQ DNQ C L SP ST O OU T EA ISSUER-CN ISSUER-SN ISSUER-GN ISSUER-N ISSUER-I ISSUER-GENQ ISSUER-DNQ "SSUER-C ISSUER-L ISSUER-SP ISSUER-ST ISSUER-O ISSUER-OU ISSUER-T ISSUER-EA
Description SubjectCommonName SubjectSurName SubjectGivenName SubjectUnstructName SubjectInitials SubjectGenQualifier SubjectDnQualifier SubjectCountry SubjectCity SubjectState SubjectState SubjectCompany SubjectDept SubjectTitle SubjectEmailAddr IssuerCommonName IssuerSurName IssuerGivenName IssuerUnstructName IssuerInitials IssuerGenQualifier IssuerDnQualifier IssuerCountry IssuerCity IssuerState IssuerState IssuerCompany IssuerDept IssuerTitle IssuerEmailAddr
The profile can contain none or more matching criteria. A certificate must match all specified criteria to be considered a matching certificate. Distinguished Name matching offers additional match criteria, including the ability for the administrator to specify that a certificate must or must not have the specified string, as well as whether wild carding for the string should be allowed. See Appendix A, Sample AnyConnect Profile and XML Schema, for an example.
7-14
OL-12950-012
Chapter 7
Configuring and Using AnyConnect Client Operating Modes and User Profiles Configuring Profile Attributes
7-15
Configuring and Using AnyConnect Client Operating Modes and User Profiles
7-16
OL-12950-012
CH A P T E R
Note
There is no automated mechanism included with the client to allow customizing the bitmaps and icons. Customizing requires that you manually copy the custom files to the filenames and locations listed in this section.
For Windows
All files for Windows are located in %PROGRAMFILES%\Cisco\Cisco AnyConnect VPN Client\res\. Table 8-1 lists the files that you can replace and the client GUI area affected.
Note
%PROGRAMFILES% refers to the environmental variable by the same name. In most Windows installation, this is C:\Program Files.
Table 8-1
Client GUI Area Affected Corporate logo that appears on each tab of the user interface. Icon that appears on the Connection tab. Icon that appears on the Statistics tab. Icon that appears on the About tab.
8-1
Table 8-1
Client GUI Area Affected Tray icon that displays when the client is connected. Tray icon that displays when the client is not connected. Tray icon that displays when the client is in the process of disconnecting.
All files for Linux are located in /opt/cisco/vpn/pixmaps/. Table 8-2 lists the files that you can replace and the client GUI area affected.
Table 8-2 Customizing the AnyConnect VPN Client for Linux GIU
Filename in Linux Installation company-logo.png vpnui48.png systray_connected.png systray_notconnected.png systray_disconnecting.png cvc-info.png cvc-disconnect.png cvc-connect.png cvc-about.png
For Mac OS X
Client GUI Area Affected Corporate logo that appears on each tab of the user interface. Main program icon. Tray icon that displays when the client is connected. Tray icon that displays when the client is not connected. Tray icon that displays when the client is in the process of disconnecting. Icon that appears on the Statistics tab. Icon that appears next to the Disconnect button. Icon that appears next to the Connect button, and on the Connection tab. Icon that appears on the About tab.
All files for OS X are located in /Applications/Cisco AnyConnect VPN Client/Contents/Resources. Table 8-3 lists the files that you can replace and the client GUI area affected.
Table 8-3 Customizing the AnyConnect VPN Client for Mac OS X
Filename in Mac OS X Installation bubble.png logo.png menu_idle.png menu_connected.png menu_error.png connected.png warning.png vpngui.icns
Client GUI Area Affected Notification bubble that appears when the client connects or disconnects. Logo icon that appears on main screen in the top right corner. Disconnected idle menu bar icon. Connected state menu bar icon. Error state menu bar icon. Icon that displays under the disconnect button when the client is connected. Icon that replaces login fields on various authentication/certificate warnings. Mac OS X icon file format that is used for all icon services, such as Dock, Sheets, and Finder.
8-2
OL-12950-012
Chapter 8
Customizing and Localizing the AnyConnect Client Customizing the End-user Experience
Understanding Language Translation, page 8-3 Creating or Modifying a Translation Table Using CLI, page 8-8 Referencing the Language in a Customization Object, page 8-10 Changing a Group Policy or User Attributes to Use the Customization Object, page 8-12
Translation Domain AnyConnect CSD customization banners PortForwarder url-list webvpn plugin-ica plugin-rdp plugin-telnet,ssh plugin-vnc
Functional Areas Translated Messages displayed on the user interface of the Cisco AnyConnect VPN Client. Messages for the Cisco Secure Desktop (CSD). Messages on the logon and logout pages, portal page, and all the messages customizable by the user. Banners displayed to remote users and messages when VPN access is denied. Messages displayed to Port Forwarding users. Text that user specifies for URL bookmarks on the portal page. All the layer 7, AAA and portal messages that are not customizable. Messages for the Citrix plug-in. Messages for the Remote Desktop Protocol plug-in. Messages for the Telnet and SSH plug-in. Messages for the VNC plug-in.
The standard software image package for the security appliance includes a translation table template for each domain. The templates for plug-ins are included with the plug-ins and define their own translation domains. You can export the template for a translation domain, which in some cases creates an XML file of the template at the URL or IP address you provide. The message fields in this file are empty. You can edit the messages and import the template to create a new translation table object that resides in flash memory.
8-3
You can also export an existing translation table. The XML file created displays the messages you edited previously. Reimporting this XML file with the same language name creates a new version of the translation table object, overwriting previous messages. Some templates are static, but some change based on the configuration of the security appliance. Because you can customize the logon and logout pages, portal page, and URL bookmarks for clientless users, the security appliance generates the customization and url-list translation domain templates dynamically, and the template automatically reflects your changes to these functional areas. After you create translation tables, they are available to customization objects that you create and apply to group policies or user attributes. With the exception of the AnyConnect translation domain, a translation table has no effect, and messages are not translated on user screens, until you create a customization object, identify a translation table to use in that object, and specify that customization for the group policy or user. Changes to the AnyConnect translations are automatically downloaded to clients the next time they connect to the Secure Gateway.
Note
Both the AnyConnect VPN client and Clientless SSL VPN use the same localization mechanism, and the path merely reflects this. The language localization pane shows the language of existing language localization tables and the language localization templates the translation tables are based on and lets you add, edit, delete, import, or export language localization templates. Using the buttons on this pane, you can configure language translation tables that the security appliance uses to translate titles and messages associated with the portal page, the AnyConnect VPN client user interface, Cisco Secure Desktop, and plug-ins.
8-4
OL-12950-012
Chapter 8
Customizing and Localizing the AnyConnect Client Customizing the End-user Experience
Figure 8-1
Fields
AddLaunches the Add Localization Entry dialog where you can select a localization template to add and you can edit the contents of the template. EditLaunches the Edit Localization Entry dialog for the selected language in the table, and allows you to edit the previously-imported language localization table. DeleteDeletes a selected language localization table. ImportLaunches the Import Language Localization dialog where you can import a language localization template or table. ExportLaunches the Export Language Localization dialog where you can export a language localization template or table to a URL or IP address where you can make changes to the table or template. LanguageThe language of existing Language Localization tables. Language Localization TemplateThe template on which the table is based.
8-5
On the Language Localization pane, click Add or Edit. The Add (or Edit) Language Localization dialog box (Figure 8-2) displays. You can add a new translation table, based on a template, or you can modify an already-imported translation table from this pane.
Figure 8-2 Add Language Localization Dialog Box
Step 2 Step 3
Select a Language Localization Template from the drop-down box. The entries in the box correspond to functional areas that are translated. For list of templates and functional areas, see Table 8-4 on page 8-3. Specify a language for the template. The template becomes a translation table in cache memory with the name you specify. Use an abbreviation that is compatible with the language options for your browser. For example, if you are creating a table for the Chinese language, and you are using Internet Explorer, use the abbreviation zh, that is recognized by Internet Explorer.
Note
Consult the online help for your specific browser to see what the appropriate language abbreviations are for that browser and make sure that you have added the appropriate languages to your list of languages that you want to use to display web pages in that browser. Adding languages does not ensure that your computer has a font that can display web pages in your preferred language. In addition, most web pages contain information that tells the browser what language encoding (language and character set) to use. Your browser might have a facility to automatically determine the appropriate encoding. See the online help for your browser for specific information about multiple language support. Edit the translation table. For each message represented by the msgid field that you want to translate, enter the translated text between the quotes of the associated msgstr field. The example below shows the message Connected, with the Spanish text in the msgstr field:
msgid "Connected"
Step 4
8-6
OL-12950-012
Chapter 8
Customizing and Localizing the AnyConnect Client Customizing the End-user Experience
msgstr "Conectado"
Note
With the AnyConnect VPN Client, the first user message to appear does not correctly translate, because that message is missing from the AnyConnect message catalog in the AnyConnect.po template. You retrieve AnyConnect.po from the security appliance using the export procedure. You export the AnyConnect template, AnyConnect.po, add the additional message, and insert the desired translations for the messages currently in the file. When this is complete, you use the import procedure, which specifies the language. You do not reimport the template itself. Only the updated file, which includes the translations, is reloaded. To ensure that the first user message appears correctly translated, add the following lines to the message catalog file that you are using for translations, before re-importing it with the missing tags:
msgid "Please enter your username and password." msgstr ""
The message string (msgstr) value should be your translation of the English string in msgid.
Step 5
Click OK. The new table appears in the list of translation tables.
8-7
Fields
LanguageEnter a name for the language. When exporting, it is automatically filled-in with the name from the entry you selected in the table. When importing, you enter the language name in the manner that you want it to be identified. The imported translation table then appears in the list with the abbreviation you designated. To ensure that your browser recognizes the language, use language abbreviations that are compatible with the language options of the browser. For example, if you are using IE, use zh as the abbreviation for the Chinese language. Localization Template NameThe name of the XML file containing the message fields. The following templates are available:
AnyConnectMessages displayed on the user interface of the Cisco AnyConnect VPN Client. CSDMessages for the Cisco Secure Desktop (CSD). customizationMessages on the logon and logout pages, portal page, and all the messages
Select a fileChoose the method by which you want to import or export the file.
Remote serverSelect this option to import a customization file that resides on a remote server
8-8
OL-12950-012
Chapter 8
Customizing and Localizing the AnyConnect Client Customizing the End-user Experience
Step 1
Export a translation table template to a computer with the export webvpn translation-table command from privileged EXEC mode. In the following example, the show webvpn translation-table command shows available translation table templates and tables.
hostname# show import webvpn translation-table Translation Tables' Templates: AnyConnect PortForwarder banners csd customization url-list webvpn Translation Tables: test hostname#
customization
The next example exports the translation table template for the AnyConnect domain, which affects messages displayed to AnyConnect client users. In this example, the filename of the XML file created is test (user-specified), and it contains empty message fields:
hostname# export webvpn translation-table AnyConnect template tftp://209.165.200.225/test
Step 2
Edit the translation table XML file. The following example shows a portion of the template that was exported as test. The end of this output includes a message ID field (msgid) and a message string field (msgstr) for the message Clientless SSL VPN Service, which is displayed on the portal page when a Clientless user establishes a VPN connection. The complete template contains many pairs of message fields:
# Copyright (C) 2007 by Cisco Systems, Inc. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: ASA\n" "Report-Msgid-Bugs-To: support@cisco.com\n" "POT-Creation-Date: 2007-04-23 18:57 GMT\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <LL@li.org>\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #: DfltCustomization:24 DfltCustomization:64 msgid "Clientless SSL VPN Service" msgstr ""
The message ID field (msgid) contains the default translation. The message string field (msgstr) that follows msgid provides the translation. To create a translation, enter the translated text between the quotes of the msgstr string.
Step 3
Import the translation table using the import webvpn translation-table command from privileged EXEC mode. In the following example, the XML file is imported es-usthe abbreviation for Spanish spoken in the United States.
8-9
hostname# import webvpn translation-table customization language es-us tftp://209.165.200.225/portal hostname# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! hostname# show import webvpn translation-table Translation Tables' Templates: AnyConnect PortForwarder csd customization keepout url-list webvpn Citrix-plugin RPC-plugin Telnet-SSH-plugin VNC-plugin Translation Tables: es-us customization
If you import a translation table for the AnyConnect domain, your changes to the AnyConnect translations are automatically downloaded to clients the next time they connect to the Secure Gateway. If you import a translation table for any other domain, you must continue to Step 4, where you create a customization object, identify the translation table to use in that object, and specify that customization object for the group policy or user.
Referencing the Language in a Customization Object
Now that you have created a translation table, you need to refer to this table in a customization object. Steps 4 through 6 describe how to export the customization template, edit it, and import it as a customization object:
Step 4
Export a customization template to a URL or IP address where you can edit it using the export webvpn customization template command from privileged EXEC mode. The example below exports the template and creates the copy sales at the URL or IP address specified:
hostname# export webvpn customization template tftp://209.165.200.225/sales
Step 5
Edit the customization template and reference the previously-imported translation table. Two areas of XML code in the customization template pertain to translation tables. The first area, shown below, specifies the translation tables to use:
<localization> <languages>en,ja,zh,ru,fr</languages> <default-language>en</default-language> </localization>
The <languages> tag in the code is followed by the names of the translation tables. In this example code, they are en, ja, zh, ru, and fr (English, Japanese, Chinese, Russian, and French). For the customization object to call these translation tables correctly, the tables must have been previously imported using the exact same names. These names must be compatible with language options of the browser.
Note
Consult the online help for your specific browser to see what the appropriate language abbreviations are for that browser and make sure that you have added the appropriate languages to your list of languages that you want to use to display web pages in that browser. Adding languages does not ensure that your computer has a font that can display web pages in your preferred language. In addition, most web pages
8-10
OL-12950-012
Chapter 8
Customizing and Localizing the AnyConnect Client Customizing the End-user Experience
contain information that tells the browser what language encoding (language and character set) to use. Your browser might have a facility to automatically determine the appropriate encoding. See the online help for your browser for specific information about multiple language support. The <default-language> tag specifies the language that the remote user first encounters when connecting to the security appliance. In the example code above, the language is English. Figure 8-4 shows the login page and the Language Selector. This Language Selector gives remote users establishing an SSL VPN connection the ability to select the language of their choice.
Figure 8-4 Language Selector
The following XML code affects the display of the Language Selector, and includes the <language selector> tag and the associated <language> tags that enable and customize the Language Selector:
<auth-page> .... <language-selector> <mode>enable</mode> <title l10n="yes">Language:</title> <language> <code>en</code> <text>English</text> </language> <language> <code>es-us</code> <text>Spanish</text> </language> </language-selector>
The <language-selector> group of tags includes the <mode> tag that enables and disables the displaying of the Language Selector, and the <title> tag that specifies the title of the drop-down box listing the languages. The <language> group of tags includes the <code> and <text> tags that map the language name displayed in the Language Selector drop-down box to a specific translation table. Make your changes to this file and save the file.
Step 6
Import the customization template as a new object named sales, using the import webvpn customization command from privileged EXEC mode. For example:
hostname# import webvpn customization sales tftp://209.165.200.225/sales hostname# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
8-11
The output of the show import webvpn customization command shows the new customization object sales:
hostname(config)# show import webvpn customization Template sales hostname(config)#
Now that you have created the customization object, you must activate your changes for specific groups or users. Step 7 shows how to enable the customization object in a group policy:
Step 7
Enter the group policy webvpn configuration mode for a group policy and enable the customization object using the customization command. The following example shows the customization object sales enabled in the group policy sales:
hostname(config)# group-policy sales attributes hostname(config-group-policy)# webvpn hostname(config-group-webvpn)# customization value sales
Note
With the AnyConnect VPN Client, the first user message to appear does not correctly translate, because that message is missing from the AnyConnect message catalog in the AnyConnect.po template. You retrieve AnyConnect.po from the security appliance using the export procedure:
export webvpn translation-table AnyConnect template url
The variable url includes the file name that you supply; for example:
https://192.168.200.30/my_anyconnect_translation_template
After you export the AnyConnect template, you add the additional message and insert the desired translations for the messages currently in the file. When this is complete, you use the import procedure, which specifies the language. You do not reimport the template itself. Only the updated file, which includes the translations, is reloaded. The import command is:
import webvpn translation-table AnyConnect language en url
The url variable is the address and the filename of the XML file that you edited. To ensure that the first user message appears correctly translated, add the following lines to the message catalog file that you are using for translations, before re-importing it with the missing tags:
msgid "Please enter your username and password." msgstr ""
The message string (msgstr) value should be your translation of the English string in msgid.
8-12
OL-12950-012
CH A P T E R
Viewing AnyConnect Client and SSL VPN Sessions, page 9-1 Adjusting MTU Size Using ASDM, page 9-2 Logging Off AnyConnect Client Sessions, page 9-3 Updating AnyConnect Client and SSL VPN Client Images, page 9-4
: none
To see more detailed information, including the number of AnyConnect (SSL VPN) tunnels, DTLS tunnels, and Clientless tunnels, use the command show vpn-sessiondb detail svc.
9-1
Select Advanced > SSL VPN Client. Uncheck the Inherit check box and specify the appropriate value in the MTU field. The default size for this command in the default group policy is 1406. The MTU size is adjusted automatically based on the MTU of the interface that the connection uses, minus the IP/UDP/DTLS overhead. This setting affects only the AnyConnect Client. The Cisco SSL VPN Client (SVC) is not capable of adjusting to different MTU sizes. This setting affects AnyConnect Client connections established in SSL and those established in SSL with DTLS.
9-2
OL-12950-012
Chapter 9
Monitoring and Maintaining the AnyConnect Client Viewing AnyConnect Client and SSL VPN Sessions
This command affects only the AnyConnect Client. The Cisco SSL VPN Client (SVC) is not capable of adjusting to different MTU sizes. The default size for this command in the default group policy is 1406. The MTU size is adjusted automatically based on the MTU of the interface that the connection uses, minus the IP/UDP/DTLS overhead. This command affects AnyConnect Client connections established in SSL and those established in SSL with DTLS. The following example configures the MTU size to 1200 bytes for the group policy telecommuters:
hostname(config)# group-policy telecommuters attributes hostname(config-group-policy)# webvpn hostname(config-group-webvpn)# svc mtu 1200
Many consumer-grade end user terminating devices (for example, a home router) do not properly handle the creation or assembly of IP fragments. This is particularly true of UDP. Since DTLS is a UDP-based protocol, it is sometimes necessary to reduce the MTU to prevent fragmentation. The MTU parameter is used by both the client and the security appliance to set the maximum size of the packet to be transmitted over the tunnel. If an end user is experiencing a significant amount of lost packets, or if an application such as Microsoft Outlook is not functioning over the tunnel, it might indicate a fragmentation issue. Lowering the MTU for that user or group of users may address the problem. The client proposes an MTU value that is 94 bytes less than the MTU of the physical adapter used for the SSL and DTLS connection to the security appliance. The security appliance accepts the lesser of the configured MTU or the value proposed by the client. Both the client and the security appliance use the value selected by the security appliance. For example, if the physical adapter on the PC has been changed to use an MTU of 1300, then the client proposes an MTU of 1206 to the security appliance. If the security appliance is set for a value lower than 1206, both the client and the security appliance use the lower value that was set using the MTU configuration command.
You can log off individual sessions using either the name option, or the index option: vpn-sessiondb logoff name name vpn-sessiondb logoff index index For example, to log off the user named tester, enter the following command:
hostname# vpn-sessiondb logoff name tester Do you want to logoff the VPN session(s)? [confirm]
9-3
You can find both the username and the index number (established by the order of the client images) in the output of the show vpn-sessiondb svc command (see Viewing AnyConnect Client and SSL VPN Sessions, page 9-1). The following example terminates that session using the name option of the vpn-sessiondb logoff command:
hostname# vpn-sessiondb logoff name testuser INFO: Number of sessions with name "tesstuser" logged off : 1
Copy the new client images to the security appliance using the copy command from privileged EXEC mode, or using another method. If the new client image files have the same filenames as the files already loaded, reenter the svc image command that is in the configuration. If the new filenames are different, uninstall the old files using the no svc image command. Then use the svc image command to assign an order to the images and cause the security appliance to load the new images.
9-4
OL-12950-012
A P P E N D I X
Sample AnyConnect Profile, page A-1 Sample AnyConnect Profile Schema, page A-3
Caution
Do not cut and paste this example from this document. Doing so introduces line breaks that can break your XML. Instead, open the profile template file in a text editor such as notepad or wordpad. Use the template that appears after installing AnyConnect on a workstation: \Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile\AnyConnectProfile.tmpl
A-1
The ClientInitialization section represents global settings for the client. In some cases (e.g. BackupServerList) host specific overrides are possible. --> <ClientInitialization> <!-The Start Before Logon feature can be used to activate the VPN as part of the logon sequence. UserControllable: Does the administrator of this profile allow the user to control this attribute for their own use. Any user setting associated with this attribute will be stored elsewhere. --> <UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon> <!-If user is importing a certificate using the enrollment feature, this attribute will enforce any pin application requirement. --> <CertEnrollmentPin>pinAllowed</CertEnrollmentPin> <!-This section enables the definition of various attributes that can be used to refine client certificate selection. --> <CertificateMatch> <!-Certificate Key attributes that can be used for choosing acceptable client certificates. --> <KeyUsage> <MatchKey>Non_Repudiation</MatchKey> <MatchKey>Digital_Signature</MatchKey> </KeyUsage> <!-Certificate Extended Key attributes that can be used for choosing acceptable client certificates. --> <ExtendedKeyUsage> <ExtendedMatchKey>ClientAuth</ExtendedMatchKey> <ExtendedMatchKey>ServerAuth</ExtendedMatchKey> <CustomExtendedMatchKey>1.3.6.1.5.5.7.3.11</CustomExtendedMatchKey> </ExtendedKeyUsage> <!-Certificate Distinguished Name matching allows for exact match criteria in the choosing of acceptable client certificates. --> <DistinguishedName> <DistinguishedNameDefinition Operator="Equal" Wildcard="Enabled"> <Name>CN</Name> <Pattern>ASASecurity</Pattern> </DistinguishedNameDefinition> <DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled"> <Name>L</Name> <Pattern>Boulder</Pattern> </DistinguishedNameDefinition> </DistinguishedName> </CertificateMatch> <!-Collection of one or more backup servers to be used in case the user selected one fails. --> <BackupServerList> <!--
A-2
OL-12950-012
Appendix A
Sample AnyConnect Profile and XML Schema Sample AnyConnect Profile Schema
Can be a FQDN or IP address. --> <HostAddress>cvc-asa-02.cisco.com</HostAddress> <HostAddress>10.94.146.172</HostAddress> </BackupServerList> </ClientInitialization> <!-This section contains the list of hosts the user will be able to select from. --> <ServerList> <!-This is the data needed to attempt a connection to a specific host. --> <HostEntry> <!-Can be an alias used to refer to the host or an FQDN or IP address. If an FQDN or IP address is used, a HostAddress is not required. --> <HostName>CVC-ASA-02</HostName> <HostAddress>cvc-asa-02.cisco.com</HostAddress> </HostEntry> <HostEntry> <HostName>CVC-ASA-01</HostName> <HostAddress>10.94.146.172</HostAddress> <!-This backup server list represents an override to the global one defined previously. --> <BackupServerList> <HostAddress>cvc-asa-03.cisco.com</HostAddress> <HostAddress>10.94.146.173</HostAddress> </BackupServerList> </HostEntry> </ServerList> </AnyConnectProfile>
A-3
<xs:documentation>A HostEntry comprises the data needed to identify and connect to a specific host.</xs:documentation> </xs:annotation> <xs:complexType> <xs:sequence> <xs:element name="HostName"> <xs:annotation> <xs:documentation>Can be an alias used to refer to the host or an FQDN or IP address. If an FQDN or IP address is used, a HostAddress is not required.</xs:documentation> </xs:annotation> </xs:element> <xs:element name="HostAddress" minOccurs="0"> <xs:annotation> <xs:documentation>Can be a FQDN or IP address.</xs:documentation> </xs:annotation> </xs:element> <xs:element name="BackupServerList" type="ns1:BackupServerList" minOccurs="0"> <xs:annotation> <xs:documentation>Collection of one or more backup servers to be used in case the user selected one fails.</xs:documentation> </xs:annotation> </xs:element> </xs:sequence> </xs:complexType> </xs:element> </xs:sequence> </xs:complexType> <xs:complexType name="AnyConnectClientProfile"> <xs:annotation> <xs:documentation>This is the XML schema definition for the Cisco AnyConnect VPN Client Profile XML file. The VPN Client Initialization is a repository of information used to manage the Cisco VPN client software. This file is intended to be maintained by a Secure Gateway administrator and then distributed with the client software. The xml file based on this schema can be distributed to clients at any time. The distribution mechanisms supported are as a bundled file with the software distribution or as part of the automatic download mechanism. The automatic download mechanism only available with certain Cisco Secure Gateway products.</xs:documentation> </xs:annotation> <xs:sequence> <xs:element name="ClientInitialization" minOccurs="0"> <xs:annotation> <xs:documentation>The ClientInitialization section represents global settings for the client. In some cases (e.g. BackupServerList) host specific overrides are possible.</xs:documentation> </xs:annotation> <xs:complexType> <xs:sequence> <xs:element name="UseStartBeforeLogon" default="false" minOccurs="0"> <xs:annotation> <xs:documentation>The Start Before Logon feature can be used to activate the VPN as part of the logon sequence.</xs:documentation> </xs:annotation> <xs:complexType> <xs:simpleContent> <xs:extension base="ns1:simpleBinary"> <xs:attribute name="UserControllable" default="false"> <xs:annotation>
A-4
OL-12950-012
Appendix A
Sample AnyConnect Profile and XML Schema Sample AnyConnect Profile Schema
<xs:documentation>Does the administrator of this profile allow the user to control this attribute for their own use. Any user setting associated with this attribute will be stored elsewhere.</xs:documentation> </xs:annotation> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="true"> <xs:annotation> <xs:documentation>user is allowed to control this setting.</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="false"> <xs:annotation> <xs:documentation>user is not allowed to control this setting.</xs:documentation> </xs:annotation> </xs:enumeration> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="CertEnrollmentPin" default="pinAllowed" minOccurs="0"> <xs:annotation> <xs:documentation>If user is importing a certificate using the enrollment feature, this attribute will enforce any pin application requirement.</xs:documentation> </xs:annotation> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="noPin"> <xs:annotation> <xs:documentation>user may not enter a pin when enrolling a certificate.</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="pinAllowed"> <xs:annotation> <xs:documentation>user may enter a pin when enrolling a certificate.</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="pinRequired"> <xs:annotation> <xs:documentation>user must enter a pin when enrolling a certificate.</xs:documentation> </xs:annotation> </xs:enumeration> </xs:restriction> </xs:simpleType> </xs:element> <xs:element name="CertificateMatch" minOccurs="0"> <xs:annotation> <xs:documentation>This section enables the definition of various attributes that can be used to refine client certificate selection.</xs:documentation> </xs:annotation> <xs:complexType> <xs:sequence>
A-5
<xs:element name="KeyUsage" type="ns1:KeyUsage" minOccurs="0"> <xs:annotation> <xs:documentation>Certificate Key attributes that can be used for choosing acceptable client certificates.</xs:documentation> </xs:annotation> </xs:element> <xs:element name="ExtendedKeyUsage" type="ns1:ExtendedKeyUsage" minOccurs="0"> <xs:annotation> <xs:documentation>Certificate Extended Key attributes that can be used for choosing acceptable client certificates.</xs:documentation> </xs:annotation> </xs:element> <xs:element name="DistinguishedName" type="ns1:DistinguishedName" minOccurs="0"> <xs:annotation> <xs:documentation>Certificate Distinguished Name matching allows for exact match criteria in the choosing of acceptable client certificates.</xs:documentation> </xs:annotation> </xs:element> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="BackupServerList" type="ns1:BackupServerList" minOccurs="0"> <xs:annotation> <xs:documentation>Collection of one or more backup servers to be used in case the user selected one fails.</xs:documentation> </xs:annotation> </xs:element> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="ServerList" type="ns1:HostEntry" minOccurs="0"> <xs:annotation> <xs:documentation>This section contains the list of hosts the user will be able to select from.</xs:documentation> </xs:annotation> </xs:element> </xs:sequence> </xs:complexType> <xs:complexType name="BackupServerList"> <xs:annotation> <xs:documentation>Collection of one or more backup servers to be used in case the user selected one fails.</xs:documentation> </xs:annotation> <xs:sequence> <xs:element name="HostAddress" maxOccurs="unbounded"> <xs:annotation> <xs:documentation>Can be a FQDN or IP address.</xs:documentation> </xs:annotation> </xs:element> </xs:sequence> </xs:complexType> <xs:complexType name="KeyUsage"> <xs:annotation> <xs:documentation>Certificate Key attributes that can be used for choosing acceptable client certificates.</xs:documentation> </xs:annotation> <xs:sequence> <xs:element name="MatchKey" maxOccurs="9">
A-6
OL-12950-012
Appendix A
Sample AnyConnect Profile and XML Schema Sample AnyConnect Profile Schema
<xs:annotation> <xs:documentation>One or more match key may be specified. A certificate must match at least one of the specified key to be selected.</xs:documentation> </xs:annotation> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="Decipher_Only"/> <xs:enumeration value="Encipher_Only"/> <xs:enumeration value="CRL_Sign"/> <xs:enumeration value="Key_Cert_Sign"/> <xs:enumeration value="Key_Agreement"/> <xs:enumeration value="Data_Encipherment"/> <xs:enumeration value="Key_Encipherment"/> <xs:enumeration value="Non_Repudiation"/> <xs:enumeration value="Digital_Signature"/> </xs:restriction> </xs:simpleType> </xs:element> </xs:sequence> </xs:complexType> <xs:complexType name="ExtendedKeyUsage"> <xs:annotation> <xs:documentation>Certificate Extended Key attributes that can be used for choosing acceptable client certificates.</xs:documentation> </xs:annotation> <xs:sequence> <xs:element name="ExtendedMatchKey" nillable="false" minOccurs="0" maxOccurs="10"> <xs:annotation> <xs:documentation>Zero or more extended match key may be specified. certificate must match all of the specified key(s) to be selected.</xs:documentation> </xs:annotation> <xs:simpleType> <xs:restriction base="xs:string"> <xs:whiteSpace value="collapse"/> <xs:enumeration value="ServerAuth"> <xs:annotation> <xs:documentation>1.3.6.1.5.5.7.3.1</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ClientAuth"> <xs:annotation> <xs:documentation>1.3.6.1.5.5.7.3.2</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="CodeSign"> <xs:annotation> <xs:documentation>1.3.6.1.5.5.7.3.3</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="EmailProtect"> <xs:annotation> <xs:documentation>1.3.6.1.5.5.7.3.4</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="IPSecEndSystem"> <xs:annotation> <xs:documentation>1.3.6.1.5.5.7.3.5</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="IPSecTunnel"> <xs:annotation> <xs:documentation>1.3.6.1.5.5.7.3.6</xs:documentation>
A-7
</xs:annotation> </xs:enumeration> <xs:enumeration value="IPSecUser"> <xs:annotation> <xs:documentation>1.3.6.1.5.5.7.3.7</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="TimeStamp"> <xs:annotation> <xs:documentation>1.3.6.1.5.5.7.3.8</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="OCSPSign"> <xs:annotation> <xs:documentation>1.3.6.1.5.5.7.3.9</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="DVCS"> <xs:annotation> <xs:documentation>1.3.6.1.5.5.7.3.10</xs:documentation> </xs:annotation> </xs:enumeration> </xs:restriction> </xs:simpleType> </xs:element> <xs:element name="CustomExtendedMatchKey" minOccurs="0" maxOccurs="10"> <xs:annotation> <xs:documentation>Zero or more custom extended match key may be specified. A certificate must match all of the specified key(s) to be selected. The key should be in OID form (e.g. 1.3.6.1.5.5.7.3.11)</xs:documentation> </xs:annotation> <xs:simpleType> <xs:restriction base="xs:string"> <xs:whiteSpace value="collapse"/> <xs:minLength value="1"/> <xs:maxLength value="30"/> </xs:restriction> </xs:simpleType> </xs:element> </xs:sequence> </xs:complexType> <xs:complexType name="DistinguishedName"> <xs:annotation> <xs:documentation>Certificate Distinguished Name matching allows for exact match criteria in the choosing of acceptable client certificates.</xs:documentation> </xs:annotation> <xs:sequence> <xs:element name="DistinguishedNameDefinition" maxOccurs="10"> <xs:annotation> <xs:documentation>This element represents the set of attributes to define a single Distinguished Name mathcing definition.</xs:documentation> </xs:annotation> <xs:complexType> <xs:sequence> <xs:element name="Name"> <xs:annotation> <xs:documentation>Distinguished attribute name to be used in mathcing.</xs:documentation> </xs:annotation> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="CN"> <xs:annotation>
A-8
OL-12950-012
Appendix A
Sample AnyConnect Profile and XML Schema Sample AnyConnect Profile Schema
<xs:documentation>Subject Common Name</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="SN"> <xs:annotation> <xs:documentation>Subject Sur Name</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="GN"> <xs:annotation> <xs:documentation>Subject Given Name</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="N"> <xs:annotation> <xs:documentation>Subject Unstruct Name</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="I"> <xs:annotation> <xs:documentation>Subject Initials</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="GENQ"> <xs:annotation> <xs:documentation>Subject Gen Qualifier</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="DNQ"> <xs:annotation> <xs:documentation>Subject Dn Qualifier</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="C"> <xs:annotation> <xs:documentation>Subject Country</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="L"> <xs:annotation> <xs:documentation>Subject City</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="SP"> <xs:annotation> <xs:documentation>Subject State</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ST"> <xs:annotation> <xs:documentation>Subject State</xs:documentation> </xs:annotation> </xs:enumeration>
A-9
<xs:enumeration value="O"> <xs:annotation> <xs:documentation>Subject Company</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="OU"> <xs:annotation> <xs:documentation>Subject Department</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="T"> <xs:annotation> <xs:documentation>Subject Title</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="EA"> <xs:annotation> <xs:documentation>Subject Email Address</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ISSUER-CN"> <xs:annotation> <xs:documentation>Issuer Common Name</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ISSUER-SN"> <xs:annotation> <xs:documentation>Issuer Sur Name</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ISSUER-GN"> <xs:annotation> <xs:documentation>Issuer Given Name</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ISSUER-N"> <xs:annotation> <xs:documentation>Issuer Unstruct Name</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ISSUER-I"> <xs:annotation> <xs:documentation>Issuer Initials</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ISSUER-GENQ"> <xs:annotation> <xs:documentation>Issuer Gen Qualifier</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ISSUER-DNQ"> <xs:annotation> <xs:documentation>Issuer Dn Qualifier</xs:documentation>
A-10
OL-12950-012
Appendix A
Sample AnyConnect Profile and XML Schema Sample AnyConnect Profile Schema
</xs:annotation> </xs:enumeration> <xs:enumeration value="ISSUER-C"> <xs:annotation> <xs:documentation>Issuer Country</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ISSUER-L"> <xs:annotation> <xs:documentation>Issuer City</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ISSUER-SP"> <xs:annotation> <xs:documentation>Issuer State</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ISSUER-ST"> <xs:annotation> <xs:documentation>Issuer State</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ISSUER-O"> <xs:annotation> <xs:documentation>Issuer Company</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ISSUER-OU"> <xs:annotation> <xs:documentation>Issuer Department</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ISSUER-T"> <xs:annotation> <xs:documentation>Issuer Title</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ISSUER-EA"> <xs:annotation> <xs:documentation>Issuer Email Address</xs:documentation> </xs:annotation> </xs:enumeration> </xs:restriction> </xs:simpleType> </xs:element> <xs:element name="Pattern" nillable="false"> <xs:annotation> <xs:documentation>The string to use in the match.</xs:documentation> </xs:annotation> <xs:simpleType> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="30"/> <xs:whiteSpace value="collapse"/> </xs:restriction> </xs:simpleType>
A-11
</xs:element> </xs:sequence> <xs:attribute name="Wildcard" default="Disabled"> <xs:annotation> <xs:documentation>Should the pattern include wildcard pattern matching. With wildcarding enabled, the pattern can be anywhere in the string.</xs:documentation> </xs:annotation> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="Disabled"> <xs:annotation> <xs:documentation>wildcard pattern match is not enabled for this definition</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="Enabled"> <xs:annotation> <xs:documentation>wildcard pattern match is enabled for this definition</xs:documentation> </xs:annotation> </xs:enumeration> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="Operator" default="Equal"> <xs:annotation> <xs:documentation>The operator to be used in performing the match</xs:documentation> </xs:annotation> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="Equal"> <xs:annotation> <xs:documentation>equivalent to ==</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="NotEqual"> <xs:annotation> <xs:documentation>equivalent to !=</xs:documentation> </xs:annotation> </xs:enumeration> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:complexType> </xs:element> </xs:sequence> </xs:complexType> <xs:element name="AnyConnectProfile" type="ns1:AnyConnectClientProfile"> <xs:annotation> <xs:documentation>The root element representing the AnyConnect Client Profile</xs:documentation> </xs:annotation> </xs:element> <xs:simpleType name="simpleBinary"> <xs:restriction base="xs:string"> <xs:enumeration value="true"> <xs:annotation> <xs:documentation>enables the Start Before Logon feature</xs:documentation> </xs:annotation>
A-12
OL-12950-012
Appendix A
Sample AnyConnect Profile and XML Schema Sample AnyConnect Profile Schema
</xs:enumeration> <xs:enumeration value="false"> <xs:annotation> <xs:documentation>disables the Start Before Logon feature.</xs:documentation> </xs:annotation> </xs:enumeration> </xs:restriction> </xs:simpleType> </xs:schema>
A-13
A-14
OL-12950-012
A P P E N D I X
Using Microsoft Active Directory to Add the Security Appliance to the List of Internet Explorer Trusted Sites for Domain Users
An Active Directory Domain Administrator can push a group policy to domain users that adds the security appliance to the list of trusted sites in Internet Explorer. Note that this differs from the procedure to add the security appliance to the list of trusted sites by individual users, described in Adding a Security Appliance to the List of Trusted Sites (Internet Explorer), page 2-3. This procedure applies only to Internet Explorer on Windows machines that are managed by a domain administrator.
Note
Adding a security appliance to the list of trusted sites for Internet Explorer is required for those running Windows Vista who want to use WebLaunch. To create a policy to add the Security Appliance to the Trusted Sites security zone in Internet Explorer by Group Policy using Active Directory, perform the following steps:
Log on as a member of the Domain Admins group. Open the Active Directory Users and Computers MMC snap-in. Right-click the Domain or Organizational Unit where you want to create the Group Policy Object and click Properties. Select the Group Policy tab. Click New. Type a name for the new Group Policy Object and press Enter. To prevent this new policy from being applied to some users or groups, click Properties. Select the Security tab. Add the user or group that you want to prevent from having this policy, then clear the Read and the Apply Group Policy check boxes in the Allow column. Click OK. Click Edit. Navigate to User Configuration > Windows Settings > Internet Explorer Maintenance > Security. Right-click Security Zones and Content Ratings in the right-hand pane and click Properties. Select Import the current security zones and privacy settings. If prompted, click Continue. Click Modify Settings. Select Trusted Sites and click Sites.
B-1
Appendix B
Using Microsoft Active Directory to Add the Security Appliance to the List of Internet Explorer Trusted
Step 14
Type the URL for the Security Appliance that you want to add to the list of Trusted Sites and click Add. The format can contain a hostname (https://vpn.mycompany.com) or IP address (https://192.168.1.100). It can be an exact match (https://vpn.mycompany.com) or a wildcard (https://*.mycompany.com). Click Close (or OK and OK). Click Close (or OK until all dialog boxes are closed, and close any snap-in window)s. Allow sufficient time for the policy to propagate throughout the domain or forest.
B-2
OL-12950-012
INDEX
A
About tab
6 4 2
compression configuring with ASDM configuring with CLI definition Connection tab
2 3 1 5 9
Add SSL VPN Client Image dialog configuring address assignment features installing
1 1 1
D
Datagram Transport Layer Security (DTLS)
1 1
installing images
installing on a security appliance with CLI AnyConnect profile, sample ASDM installing AnyConnect images automatic installation
2 1 1
14, 7
C
certificate, self-signed or trusted root certificate distinguished name mapping certificate key usage matching certificate match attribute Cisco Secure Desktop CLI commands
1 1 1 1 2 12 2 12 13 4 13
connection enabling
1
fallback to TLS
2 2, 15, 6
E
Edit Internal Group Policy dialog Edit SSL VPN Connection dialog end-user interface customizing
1 13 8 6
Mac OS X connection commands Windows connection commands Client Profile to Download configuring with ASDM Command Line Interface
1 10
F
fallback from DTLS to TLS configuring with ASDM
2 2
IN-1
Index
L
language localization template
6 2
G
getting the necessary files GUI, customizing
1 7
translation
language localization (translation), configuring with ASDM 4 language translation Linux AnyConnect CLI commands
1 3
I
installation
7, 1 2 3
localization
2, 3 6
localization template
M
Mac OS X AnyConnect CLI commands Mac OSX, installing AnyConnect configuring with ASDM Microsoft Installer (MSI) modules, adding
1 1 1 10 1 9
installing AnyConnect
9 8
Windows PC
Internet Explorer adding security appliance to trusted sites IPv6 VPN access
2 5 3
Mozilla, certificates
N K
keepalive messages
11, 8 10
Netscape, certificates
O
Optional Client Module to Download, configuring with ASDM 10
13
IN-2
OL-12950-012
Index
P
profile attributes, configuring downloading user
4 1 4, 2 5 11
SSL VPN Client Images panel SSL VPN connections, enabling SSL VPN Connections panel standalone mode
1 2
2 2
3, 6
profile, AnyConnect
10
installation requirements
R
rekey
2 4, 2
S
SBL (start before login) schema, XML
1 3 2
T
template, localization translation, language using ASDM
7 6 6 1
Security Alert dialog box See also SSL VPN Client Select Address Pool dialog self-signed certificate ServerList attribute SSL VPN Client configuring features enabling
9 12 4
translation table, creating or modifying translation tables, creating or modifying using CLI
2 8 1
Transport Layer Security (TLS), connection trusted root certificate trusted sites adding, using Active Directory adding on individual PCs
8 3 1 4
2 4
U
user interface customizing overview user profile
4 2 1
permanent installation
IN-3
Index
V
VPN Gina installation requirements
2
W
WebLaunch mode
1 1 4
trusted sites IE requirement, individual Windows AnyConnect CLI commands Windows PC, installing AnyConnect Windows Vista trusted sites requirement
4, 1 8 1
X
XML profile file
5 1
IN-4
OL-12950-012